Search code examples
javabouncycastlex509pkcs#7

How to convert X509 certificate into PKCS7 using bouncycastle?

Hi, all! My problem is following: I 'm trying to encrypt X509 certificate to PKCS7 but I receive a wrong result.

The first attempt is:(used bcmail-jdk16:1.46)


            Security.addProvider(new BouncyCastleProvider());

            keystore = KeyStore.getInstance("PKCS12", "BC");
            keystore.load (new FileInputStream(PATH+"//pkcs7-csr-cer//identity.p12"), "testpassword".toCharArray());
            PrivateKey privateKey = (PrivateKey)keystore.getKey("testclientcert", "testpassword".toCharArray());

            CMSSignedDataGenerator signedDataGen = new CMSSignedDataGenerator();

            signedDataGen.addSigner(privateKey, certificate, CMSSignedDataGenerator.ENCRYPTION_RSA, CMSSignedDataGenerator.DIGEST_SHA256);
            CMSProcessableFile pkcs7 = new CMSProcessableFile(new File(destinationfile));
            CMSSignedData signedData = signedDataGen.generate(pkcs7, true, "BC");
            signedData = new CMSSignedData(pkcs7, signedData.getEncoded());

...and it doesn't work.

The second attempt is next(used bcmail-jdk16-140):


        Security.addProvider(new BouncyCastleProvider());

        CMSEnvelopedDataGenerator envDataGen = new CMSEnvelopedDataGenerator();
        envDataGen.addKeyTransRecipient(certificate);

        CMSProcessable sData = new CMSProcessableByteArray(certificate.getEncoded());
        CMSEnvelopedData enveloped = envDataGen.generate(sData, CMSEnvelopedDataGenerator.AES256_CBC, "BC");
        return enveloped.getEncoded();

I get wrong results in both cases. Help please who know a right way to do it. Thanks!

Solution

  • I found the solution!

    
    private byte[] encryptCertToPKCS7(X509Certificate certificate, Key key) 
                throws CertificateEncodingException, CMSException, NoSuchProviderException, NoSuchAlgorithmException, IOException, OperatorCreationException {
        CMSSignedDataGenerator generator = new CMSSignedDataGenerator();

        ContentSigner sha256Signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build((PrivateKey) key);
        generator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder()
                                                                               .setProvider("BC").build())
                                                                              .build(sha256Signer, certificate));
        generator.addCertificates(new JcaCertStore(certificates));
        CMSTypedData content = new CMSProcessableByteArray(certificate.getEncoded());

        CMSSignedData signedData = generator.generate(content, true);
        return signedData.getEncoded();
    }