Bouncy Castle - How implementes SignedAndEnveloped data with Bouncy Castle

3
votes

I would like to created an signedAndEnvelopedData (PKCS #7) data implemented with Bouncy Castle (Version 1.59).

In the Bouncy Castle the interface CMSObjectIdentifiers includes the type signedAndEnvelopedData.

However, when tried many times, it can't be created correctly. Could you please give some suggestion and following are my core implemented

  1. Signing data first
CMSTypedData msg = (CMSTypedData) new CMSProcessableByteArray(
        new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId()),
        srcMsg.getBytes(charSet));

Store certs = new JcaCertStore(certList);

CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner signer = new JcaContentSignerBuilder(
        signatureSchema).setProvider("BC").build(privateKey);

gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(
        new JcaDigestCalculatorProviderBuilder().setProvider("BC")
                .build()).build(signer, cerx509));

gen.addCertificates(certs);

CMSSignedData sigData = gen.generate(msg, true);
sigData = new CMSSignedData(msg,sigData.getEncoded())

return sigData.getEncoded()

Here I set the input data to CMSTypeData as CMSObjectIdentifiers.data.getId()

CMSTypedData msg = (CMSTypedData) new CMSProcessableByteArray(
                new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId()),
                srcMsg.getBytes(charSet));
  1. the output of signed data would be used to be the input of enveloping
CMSTypedData msg = new CMSProcessableByteArray(new ASN1ObjectIdentifier(CMSObjectIdentifiers.signedAndEnvelopedData.getId()),srcMsg.getBytes(charSet));

    CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();

    JcaAlgorithmParametersConverter paramsConverter = new JcaAlgorithmParametersConverter();

    edGen.addRecipientInfoGenerator(
            new JceKeyTransRecipientInfoGenerator(cert,paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP,OAEPParameterSpec.DEFAULT))
                    .setProvider(new BouncyCastleProvider()));
    OutputEncryptor encryptor = new JceCMSContentEncryptorBuilder(CMSAlgorithm.AES256_CBC)
            .setProvider(new BouncyCastleProvider())
            .build()
    CMSEnvelopedData ed = edGen.generate(msg,encryptor)

    encryptedContent = ed.getEncoded()
    String result = new String(Base64.encode(ed.getEncoded()));

    return result;

Here I set the input data to CMSTypedData as CMSObjectIdentifiers.signedAndEnvelopedData.getId()

CMSTypedData msg = new CMSProcessableByteArray(new ASN1ObjectIdentifier(CMSObjectIdentifiers.signedAndEnvelopedData.getId()),srcMsg.getBytes(charSet));

Questions:

  1. Is Bouncy Castle (1.59) supported PKCS#7 SignedAndEnevloped
  2. If the first question is YES, are my steps correct creating SignedAndEnevloped Data ?
  3. If the first question is NO, are the some way to implement it ?
1
javacryptographybouncycastlepkcs#7
Cross posting is not allowed, but I'd at least ask this as well on the Bouncy Castle Dev mailing list. If you get an answer there you could post it here.Maarten Bodewes
SignedAndEnveloped is a distinct type in PKCS7 = rfc2315 sec 11 that is not the same as signed-then-enveloped (as you almost have) or enveloped-then-signed. It is not carried forward to CMS, and AFAICT not implemented by BC. I think you'll have to implement it yourself, following the spec and probably using parts of the code for Enveloped and Signed.dave_thompson_085
Actually I only want to create the SignedAndEnveloped data whatever signed-then-enveloped or enveloped-then-signed tries. I tried an alternative implementation with IAIK en.wikipedia.org/wiki/IAIK-JCE but it's commercialuser3551490

1 Answers

0
votes

I just wrote a demo about using Bouncy Caslte Provider to do RSA in XMLSignatrure(SignedAndEnevloped),see this post, https://honwhy.wang/2018/09/07/use-bc-provider-xmlsignature/

demo code,

1, https://github.com/Honwhy/xml-sec/blob/master/src/main/java/com/honey/xmlsec/BcSignatureAlgorithm.java#L37

2, https://github.com/Honwhy/xml-sec/blob/master/src/main/java/com/honey/xmlsec/MyUtil.java#L107

maybe you have to ajust some lines to meet your request.