BouncyCastle - TBS证书中的签名算法与外部证书不同

时间:2014-04-06 22:49:33

标签: certificate digital-signature bouncycastle x509

我尝试使用充气城堡API验证证书路径和签名。

我得到以下异常。我已经验证了签名算法' SHA256WithRSAEncryption'我的证书和发行人证书是一样的。

非常感谢任何帮助。

Exception in thread "main" org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature.
    at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)


Caused by: java.security.cert.CertificateException: signature algorithm in TBS cert not same as outer cert
    at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(Unknown Source)
    at org.bouncycastle.jce.provider.X509CertificateObject.verify(Unknown Source)
    at org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(Unknown Source)
    ... 6 more

签名:

public byte[] sign(byte[] data) throws GeneralSecurityException, CMSException, IOException {

          CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
          generator.addSigner(pk, (X509Certificate) cert,
              CMSSignedDataGenerator.DIGEST_SHA1); //Also tried DIGEST_SHA256
          generator.addCertificatesAndCRLs(getCertStore());
          CMSProcessable content = new CMSProcessableByteArray(data);

          CMSSignedData signedData = generator.generate(content, true, "BC");
          return signedData.getEncoded();
        }

验证:

CollectionCertStoreParameters params = new CollectionCertStoreParameters(list);
        CertStore store = CertStore.getInstance("Collection", params, "BC");
        //create certificate path
        CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC");
        List<X509Certificate> certChain = new ArrayList<X509Certificate>();
        //Create the certificate chain
        for( int i = 0; i < list.size(); i++)
            certChain.add(list.get(i));
        //Create the chain of certificates
        CertPath certPath = fact.generateCertPath(certChain);

        Set<TrustAnchor>      trust = Collections.singleton(new TrustAnchor(rootX509cert, null));
        //Get the certificate path validator
        CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
        PKIXParameters param = new PKIXParameters(trust);
        param.setRevocationEnabled(false);
        param.addCertStore(store);
        param.setDate(new Date());
        param.addCertPathChecker(new PathChecker());

        //Validate the certificate path
        validator.validate(certPath, param);

1 个答案:

答案 0 :(得分:1)

我不确定这是您的CMS结构或证书路径验证的问题。我认为您的证书之一是错误的。

该例外声明在X509Certificate中(我的猜测是您的签名者证书或其链中)Certificate signatureAlgorithm的值与TBSCertificate signature不同。

请参阅http://tools.ietf.org/html/rfc5280#section-4.1

Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier, <--
    signatureValue       BIT STRING  }



TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier, <--
    issuer               Name,
    ...
相关问题
最新问题