我在Java服务器上签署manifest.json文件时遇到问题。我为pushpackage创建了各种文件,将所有这些文件放在清单中,如the official documentation中所述。
然后我尝试使用此方法创建“签名”文件
private static byte[] getSignatureFile(byte[] store, byte[] dataToSign) throws KeyStoreException,
NoSuchAlgorithmException, CertificateException, IOException, InvalidKeyException, UnrecoverableKeyException,
SignatureException {
if (store == null) {
LOGGER.error("Could not find store file (.p12)");
return null;
}
// First load the keystore object by providing the p12 file path
KeyStore clientStore = KeyStore.getInstance("PKCS12");
// replace testPass with the p12 password/pin
clientStore.load(new ByteArrayInputStream(store), STOREPASS.toCharArray());
Enumeration<String> aliases = clientStore.aliases();
String aliaz = "";
while (aliases.hasMoreElements()) {
aliaz = aliases.nextElement();
if (clientStore.isKeyEntry(aliaz)) {
break;
}
}
X509Certificate c = (X509Certificate) clientStore.getCertificate(aliaz);
// compute signature:
Signature signature = Signature.getInstance("Sha1WithRSA");
signature.initSign((PrivateKey) clientStore.getKey(aliaz, STOREPASS.toCharArray()));
signature.update(dataToSign);
byte[] signedData = signature.sign();
// load X500Name
X500Name xName = X500Name.asX500Name(c.getSubjectX500Principal());
// load serial number
BigInteger serial = c.getSerialNumber();
// laod digest algorithm
AlgorithmId digestAlgorithmId = new AlgorithmId(AlgorithmId.SHA_oid);
// load signing algorithm
AlgorithmId signAlgorithmId = new AlgorithmId(AlgorithmId.RSAEncryption_oid);
// Create SignerInfo:
SignerInfo sInfo = new SignerInfo(xName, serial, digestAlgorithmId, signAlgorithmId, signedData);
// Create ContentInfo:
ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString,
dataToSign));
// Create PKCS7 Signed data
PKCS7 p7 = new PKCS7(new AlgorithmId[] { digestAlgorithmId }, cInfo,
new java.security.cert.X509Certificate[] { c }, new SignerInfo[] { sInfo });
// Write PKCS7 to bYteArray
ByteArrayOutputStream bOut = new DerOutputStream();
p7.encodeSignedData(bOut);
return bOut.toByteArray();
}
“store”文件包含证书,私钥包含.p12文件。 “dataToSign”包含manifest.json
它正在运行而没有错误,并创建了我放在Zip中的签名文件。一切似乎都很好,但我想它不是创建一个有效的PCS7#分离签名,因为当我访问它时,它立即返回“访问被拒绝”并在日志中说(这附带日志休息调用)
“推送包的签名验证失败”