在CMS中添加签名证书作为签名属性

Question

这是将签名证书作为签名属性添加的方式吗？

JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build());
Attribute attr = new Attribute(CMSAttributes.messageDigest, new DERSet(new DEROctetString( this.digest(myCert.getEncoded()) )));// using SHA-512 for this.digest()
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);
builder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(v)));

关于验证

signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))

我得到了异常：

org.bouncycastle.cms.CMSSignerDigestMismatchException: message-digest attribute value does not match calculated value

对于属性的摘要计算，我使用SHA-512对SHA512withRSA进行签名。

Answer 1

可以使用BouncyCastle将签名证书添加为签名属性：

final X500Name issuerX500Name = new X509CertificateHolder(mycert.getEncoded()).getIssuer();
final GeneralName generalName = new GeneralName(issuerX500Name);
final GeneralNames generalNames = new GeneralNames(generalName);
final BigInteger serialNumber = mycert.getSerialNumber();
final IssuerSerial issuerSerial = new IssuerSerial(generalNames, serialNumber);

ESSCertIDv2 certid = new ESSCertIDv2(new AlgorithmIdentifier(new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.3")), this.digest(mycert.getEncoded()), issuerSerial);
SigningCertificateV2 sigcert = new SigningCertificateV2(certid);
final DERSet attrValues = new DERSet(sigcert);
Attribute attr = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, attrValues);
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);

JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build());
builder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(v)));