Cannot verify signature (cmssigneddata) bouncycastle

问题

When I want to verify my signature made with BouncyCastle I don't get into the second while loop of the verifySignature method. The store.getMatches() gives back an empty array.

public static CMSSignedData sign() throws Exception {
    byte[] file = fileChooser();
    store = KeyStore.getInstance(storeType);
    FileInputStream in = new FileInputStream(new File(storePathKey));
    store.load(in, storePassword);
    in.close();

    Key priv = store.getKey("Subject", storePassword);
    System.out.println(priv.toString() + "priv string");
    X509Certificate cert = (X509Certificate) store.geCertificate("Subject");
    ContentSigner signer = new JcaContentSignerBuilder(sigAlgo).build((RSAPrivateKey) priv);

    CMSTypedData data = new CMSProcessableByteArray(file);
    CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
    gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build())
        .build(signer, cert));
    CMSSignedData sigData = gen.generate(data, true);

    return sigData;
}

public static void verifySig(CMSSignedData sigData) throws Exception {
    Store store = sigData.getCertificates();
    SignerInformationStore signers = sigData.getSignerInfos();
    System.out.println(store.toString() + "store");
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
        System.out.println("enter while loop1");
        SignerInformation signer = (SignerInformation) it.next();

        Collection certCollection = store.getMatches(signer.getSID());
        Iterator certIt = certCollection.iterator();
        System.out.println(store.getMatches(null) + "collection of certs");

        while (certIt.hasNext()) {
            System.out.println("enter while loop2");
            X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
            X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHolder);

            if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))) {
                System.out.println("verified correct");
            } else {
                System.out.println("not verified");
            }
        }
    }
}

Am I missing something in the sign() method?

回答1:

You need to add the certificate to a org.bouncycastle.util.CollectionStore, and add this store to the signature.

I'm using BouncyCastle 1.56:

import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.CollectionStore;

// add these lines after gen.addSignerInfoGenerator(...)

// cert is your X509Certificate
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
CollectionStore<X509CertificateHolder> certStore = new CollectionStore<>(Collections.singletonList(holder));
gen.addCertificates(certStore); // add the store to the signature

The CollectionStore is useful when you want to add more than one certificate. If you want to add just one, you can also do:

X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
gen.addCertificate(holder);

The output I've got:

enter while loop1
[org.bouncycastle.cert.X509CertificateHolder@5bc807a8]collection of certs
enter while loop2
verified correct

来源：https://stackoverflow.com/questions/43995011/cannot-verify-signature-cmssigneddata-bouncycastle