我们有一个使用OpenSSL生成S / MIME数字签名的流程,需要稍后使用Java 7进行验证。一方面,我们使用OpenSSL读取文本文件并生成签名的数字输出,稍后进行验证。 / p>
我们曾经使用OpenSSL进行验证,但现在我们需要Java(注意:我们现在不能指望OpenSSL可用)。
我们使用此签名:openssl smime -sign -inkey private.key -signer public.key -in ${f} > ${f}.signed并验证:openssl smime -verify -noverify -in ${f}.signed
注意:验证不验证证书,仅检查签名/内容。
我需要将此过程的验证部分更改为java应用程序,最好使用Java 7(我认为现在内置了JCE)。
示例输出类似于......
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----185C6C544BB34D30B0835B915C158544"
This is an S/MIME signed message
------185C6C544BB34D30B0835B915C158544
Four score and seven years ago our fathers brought forth on this continent, a
new nation, conceived in Liberty, and dedicated to the proposition that all
men are created equal.
Now we are engaged in a great civil war, testing whether that nation, ...
------185C6C544BB34D30B0835B915C158544
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIKAAYJKoZIhvcNAQcCoIIJ8TCCCe0CAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggchMIIHHTCCBgWgAwIBAgIEUzuEpzANBgkqhkiG9w0BAQsFADCB
hzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEoMCYGA1UE
CxMfRGVwYXJ0bWVudCBvZiBIb21lbGFuZCBTZWN1cml0eTEiMCAGA1UECxMZQ2Vy
dGlm ...
... JIQeeE=
------185C6C544BB34D30B0835B915C158544--
签名算法是sha256WithRSAEncryption;例子......
openssl smime -pk7out -in message.signed | openssl pkcs7 -text -noout -print_certs
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1396409511 (0x533b84a7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Corp, OU=Acme, OU=CA
Validity
Not Before: May 16 15:27:56 2014 GMT
Not After : May 16 15:57:56 2015 GMT
Subject: C=US, O=Corp, OU=Acme, OU=CBP, CN=foo.acme.corp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:00:00:00:00:b1:b6:49:6e:ca:d7:61:07:a0:18:
...
c9:de:ab:a7:2f:97:e4:f6:64:37:ec:3a:9d:ae:c0:
16:03
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.3.2.1.3.8
...
我看了很多很多例子,尝试了多个没有成功的例子。我希望有一些消息来源与你分享,但到目前为止我所获得的成功至少没有帮助。
答案 0 :(得分:1)
这可以使用Bouncy Castle Crypto API来完成,您可以在其中使用以下官方示例作为参考https://github.com/bcgit/bc-java/blob/master/mail/src/main/java/org/bouncycastle/mail/smime/examples/ValidateSignedMail.java。
举一个更简单的示例来对包含证书链的签名电子邮件进行完全验证,您可以使用org.bouncycastle:bcmail-jdk15on:1.52做这样的事情:
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.mail.smime.validator.SignedMailValidator;
import javax.mail.internet.MimeMessage;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.PKIXParameters;
public class SignedMailValidatorExample {
public static void main(String[] args) throws Exception {
Security.addProvider(new BouncyCastleProvider());
FileInputStream signedEmailInputStream = new FileInputStream("signed_email.eml");
MimeMessage signedEmailMimeMessage = new MimeMessage(null, signedEmailInputStream);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("truststore.jks"), "changeit".toCharArray());
PKIXParameters pkixParameters = new PKIXParameters(trustStore);
pkixParameters.setRevocationEnabled(false);
SignedMailValidator signedMailValidator = new SignedMailValidator(signedEmailMimeMessage, pkixParameters);
boolean successfulValidation = true;
for (SignerInformation signerInformation : signedMailValidator.getSignerInformationStore().getSigners()) {
SignedMailValidator.ValidationResult signerValidationResult = signedMailValidator
.getValidationResult(signerInformation);
if (!signerValidationResult.isValidSignature()) {
successfulValidation = false;
break;
}
}
if (successfulValidation) {
System.out.println("Signed email validated correctly.");
} else {
System.out.println("Signed email validation failed.");
}
}
}
truststore.jks的位置应包含一个CA证书(例如颁发CA),该证书链接到用于签署电子邮件的证书。现在,您可以使用https://keystore-explorer.org/之类的软件轻松创建此文件。