8/24/2023 0 Comments Free pdf signer does not existThe standard PKCS7/CMS format does not specify the Subject name for a signer (or SubjectAltName, for that matter) so any method of determining that and using it to find or check the cert would be nonstandard. This 'SID' is usually the pair of Issuer and Serial, but in CMS can be the SubjectKeyIdentifier. Your code should see javadoc for a minimal example, which uses the Store of certs in the message to find a cert matching the 'SID' ( SignerIdentification) in the SignerInfo. It could check the attributes of the signer against the attributes of the certificate (Subject only? Or also serial number, Issuer?) If you use the JcaSimpleSignerInfoVerifierBuilder.build(cert.getPublicKey()) overload instead, the only difference is that it doesn't check the signingTime, if present, against the cert validity period. Otherwise (no signed attributes) it checks that the signature verifies as the signature of the (received) content under the publickey in the cert (and the algorithms specified in the message and SignerInfo) If authenticated/signed attributes are present, it checks them, including checking that the digest of the (received) content matches the digest attribute, and checks that the signature verifies as the signature of the signed attributes under the publickey in the cert (and the algorithms specified in the message and SignerInfo) Since the build(cert) overload and not the build(publickey) overload was used, if the (must-be-)authenticated/signed attribute signingTime is present, it checks that signingTime value is within the certificate's validity period The SignerInformationVerifier produced from JcaSimpleSignerInfoVerifierBuilder.build(cert) (which mostly wraps a ContentVerifierProvider) is driven by SignerInformation.verify as follows: I have tested with a pdf that had a trusted signature from a trusted CA 1 (registered as such in keystore) and one from a CA 2 which was not registered as trusted in keystore.Īny explanation/help is much appreciated. ![]() It returns true for my signed pdf documents. SignerInformationVerifier signerInformationVerifier = new JcaSimpleSignerInfoVerifierBuilder().build(cert2) X509Certificate cert2 = (X509Certificate) certFactory.generateCertificate(in) InputStream in = new ByteArrayInputStream(certificateHolder.getEncoded()) SignerInformation signer = (SignerInformation) it.next() ĬertificateFactory certFactory = CertificateFactory.getInstance("X.509") Iterator it = signers.getSigners().iterator() SignerInformationStore signers = cmsSignedData.getSignerInfos() I tried javadoc, google but could not find an answer. I learned so far that "verify" like coded below does not check if the certificate is trusted. "verify" could also check if the certificate was not expired at time of signing. ![]() ![]() In that case the objective of "verify" is to see the text did not change/the signature corresponds to the certificate. ![]() Both should give the same result if the signature was using the certificate in question. Before comparing it uses the public key from the certificate to "decrypt" the signature. Is it correct to say it compares the hash of the message against the signature (which I understand is also the hash of the message but encrypted with the private key of the sender). What exactly does signer.verify(signerInformationVerifier) in the code below check?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |