PKCS#7 Format Digital Signature Verification

noun explanation
Digital signature: In the ISO7498-2 standard is defined as: "Some data attached to the data unit, or the password transformation of the data unit, this data and transformation allows the receiver of the data unit to confirm the data unit source and Data unit integrity, and protect the data, to prevent the person (such as the recipient) to forge "。

Pkcs#7: Also known as the syntax standard for cryptographic messages, an encryption standard generated by the RSA security system for exchanging digital certificates in a public-key cryptography system. Pkcs#7 describes the syntax and other cryptographic messages of a digital certificate-in particular, the methods of data encryption and digital signatures, and also includes algorithms. When digitally signing with pkcs#7, the result contains a signed certificate (a list of related certificate recalls) and any other certificate on the proven path. If you use Pkcs#7 to encrypt data, it usually contains the publisher's reference message and the certificate's serial number, which is related to the public key used to decrypt the encrypted data.

The PKCS#7 standard defines a variety of content types, including the following:
• Data: Byte or 8-bit string.
• Signature design: Data along with the encrypted data digest. An informational digest is the result of a hashing algorithm (the term digest and hash are the same definition). Use the information digest to ensure that the original message has not been tampered with during transmission and confirms the identity of the sender.
• Encapsulated data: Ciphertext plus public key to decrypt data. In this way, keeping the message content confidential to all people is a trusted recipient.
• Signature and encrypted data: encrypted content with a public key and a double-encrypted message digest.
• Summary data: Data plus message digest.
• Separate encrypted data: In this case, the public key of the encrypted data must be transmitted through other mechanisms.

Implementation method
1. Use the security package that comes with Java. Because there is no processing of the PKCS#7 format signature data in the JDK. Three parameters are required for validation: the original, the signature data and the signer's certificate/signer's public key, all of which are BASE64 encoded. The code is as follows:
public boolean signeddata_verify (byte[] signdata,byte[] signeddata,byte[] cert) {
Boolean Verifyret = true;
try {
Create a Factory object
Certificatefactory oCf = certificatefactory.getinstance ("the");

Create a X509 Certificate object
InputStream ois = new Bytearrayinputstream (cert);
X509Certificate ocert = (x509certificate) ocf.generatecertificate (OIS);

Create a Signature object
Signature osign = signature.getinstance ("Sha1withrsa");

Initializing a Signature object
Osign.initverify (Ocert);

Incoming Signature Original
Osign.update (SignData);

Verifying digital signatures
Verifyret = Osign.verify (Signeddata);

}
catch (Exception e) {
Verifyret = false;
E.printstacktrace ();
System.out.println ("Failed to verify digital signature");
}
return verifyret;
}

2, through the Bouncycastle Cmssigneddata can realize the PKCS#7 format signature data verification, the use Cmssigneddata generates the PKCS#7 format signature data. Since the pkcs#7 contains the original text and the certificate information, the parameter only needs the signature value. The code is as follows:
public boolean signeddata_verify (byte[] signeddata) {
Boolean Verifyret = true;
try {
New PKCS#7 signature Data processing object
Cmssigneddata sign = new Cmssigneddata (signeddata);

Add Bouncycastle as Security provider
Security.addprovider (New
Org.bouncycastle.jce.provider.BouncyCastleProvider ());

Obtaining certificate information
Certstore certs = Sign.getcertificatesandcrls ("Collection", "BC");

Get signer information
Signerinformationstore signers = Sign.getsignerinfos ();
Collection C = signers.getsigners ();
Iterator it = C.iterator ();

Full validation required When multiple signer information is available
while (It.hasnext ()) {
Signerinformation signer = (signerinformation) it.next ();

Certificate chain
Collection certcollection = certs.getcertificates (signer
. GetSID ());
Iterator certit = Certcollection.iterator ();
X509Certificate cert = (x509certificate) certit.next ();

Verifying digital signatures
if (Signer.verify (Cert.getpublickey (), "BC")) {
Verifyret = true;
} else {
Verifyret = false;
}
}

}
catch (Exception e) {
Verifyret = false;
E.printstacktrace ();
System.out.println ("Failed to verify digital signature");
}
return verifyret;
}