我使用Java / BC进行数字签名,在OSX上,使用以下命令初始化密钥库:
keystore = KeyStore.getInstance("KeychainStore", "Apple");
keystore.load(null, null);
由以下人员生成的签名:
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider(provider).build(pkey);
SignerInfoGenerator sigInfoGen = sigInfoGeneratorBuilder.build(sigGen, new X509CertificateHolder(x509.getEncoded()));
当" Apple"是提供商,我收到以下错误:
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: no such algorithm: SHA1WITHRSA for provider Apple
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
at com.unitech.crypto.signers.CmsSigner.sign(CmsSigner.java:51)
... 4 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA1WITHRSA for provider Apple
at sun.security.jca.GetInstance.getService(GetInstance.java:101)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at java.security.Signature.getInstance(Signature.java:405)
at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createSignature(Unknown Source)
at org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown Source)
... 6 more
另一方面,如果提供商是" BC"我明白了:
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Supplied key (null) is not a RSAPrivateKey instance
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
at com.unitech.crypto.signers.CmsSigner.sign(CmsSigner.java:51)
... 4 more
Caused by: java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
at java.security.Signature.initSign(Signature.java:527)
... 6 more
pkey 位于连接的智能卡中(可从钥匙串访问),我可以使用PKCS#11例程对其进行签名,但对我来说,通过BC可以做得更好。
任何帮助/想法都将受到赞赏。
提前致谢。
答案 0 :(得分:2)
Bouncy Castle是一家仅限软件供应商。它无法处理硬件密钥,因此您需要使用Apple或PKCS#11提供程序。安全硬件令牌的整个想法是密钥保留在设备中。 BC要求密钥在内存中 。
您可能想尝试其他签名生成功能,例如"SHA256withRSA"。到目前为止,使用SHA-1签名消息被认为是不安全的。