How do you create a p7m envelope signed with a smart card?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How do you create a p7m envelope signed with a smart card?

Raffaele Sgarro
I'm using the Java builtin PKCS11 API and can't find a way to sign a String with bouncycastle.

The entry point should be CMSSignedDataGenerator, but I don't know how to build one without a ContentSigner, which in turn needs a private key, that is not extractable from the hardware device.

Can anybody point me to the right way of taking a String (XML), signing it with the hardware token (PKCS11) and finally flushing everything to a P7M file?

Thanks,
Raffaele
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How do you create a p7m envelope signed with a smart card?

David Hook

JcaContentSignerBuilder doesn't require access to the encoding of the
private key, it just requires the handle to it, providing the builder is
set to use the same provider the key is from.

Regards,

David

On 21/07/16 16:26, Raffaele Sgarro wrote:

> I'm using the Java builtin PKCS11 API and can't find a way to sign a
> String with bouncycastle.
>
> The entry point should be CMSSignedDataGenerator, but I don't know how
> to build one without a ContentSigner, which in turn needs a private
> key, that is not extractable from the hardware device.
>
> Can anybody point me to the right way of taking a String (XML),
> signing it with the hardware token (PKCS11) and finally flushing
> everything to a P7M file?
>
> Thanks,
> Raffaele


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How do you create a p7m envelope signed with a smart card?

Raffaele Sgarro
Hi David,

thanks for your quick response! Not my problem is that the resulting content seems not a valid P7M file. The program code:


Il giorno gio 21 lug 2016 alle ore 09:50 David Hook <[hidden email]> ha scritto:

JcaContentSignerBuilder doesn't require access to the encoding of the
private key, it just requires the handle to it, providing the builder is
set to use the same provider the key is from.

Regards,

David

On 21/07/16 16:26, Raffaele Sgarro wrote:
> I'm using the Java builtin PKCS11 API and can't find a way to sign a
> String with bouncycastle.
>
> The entry point should be CMSSignedDataGenerator, but I don't know how
> to build one without a ContentSigner, which in turn needs a private
> key, that is not extractable from the hardware device.
>
> Can anybody point me to the right way of taking a String (XML),
> signing it with the hardware token (PKCS11) and finally flushing
> everything to a P7M file?
>
> Thanks,
> Raffaele


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How do you create a p7m envelope signed with a smart card?

Raffaele Sgarro
Sorry, I messed with my tests. The file is valid P7M but the verification software tells it doesn't contain the signer certificate. The updated code:


Il giorno gio 21 lug 2016 alle ore 10:39 Raffaele Sgarro <[hidden email]> ha scritto:
Hi David,

thanks for your quick response! Not my problem is that the resulting content seems not a valid P7M file. The program code:


Il giorno gio 21 lug 2016 alle ore 09:50 David Hook <[hidden email]> ha scritto:

JcaContentSignerBuilder doesn't require access to the encoding of the
private key, it just requires the handle to it, providing the builder is
set to use the same provider the key is from.

Regards,

David

On 21/07/16 16:26, Raffaele Sgarro wrote:
> I'm using the Java builtin PKCS11 API and can't find a way to sign a
> String with bouncycastle.
>
> The entry point should be CMSSignedDataGenerator, but I don't know how
> to build one without a ContentSigner, which in turn needs a private
> key, that is not extractable from the hardware device.
>
> Can anybody point me to the right way of taking a String (XML),
> signing it with the hardware token (PKCS11) and finally flushing
> everything to a P7M file?
>
> Thanks,
> Raffaele


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How do you create a p7m envelope signed with a smart card?

David Hook

Strictly speaking you don't have to include the signing certificate, but I doubt you'll win that argument. You can use addCertificate() and addCertificates() on the generator to include the signing certificate.

Regards,

David

On 21/07/16 18:44, Raffaele Sgarro wrote:
Sorry, I messed with my tests. The file is valid P7M but the verification software tells it doesn't contain the signer certificate. The updated code:


Il giorno gio 21 lug 2016 alle ore 10:39 Raffaele Sgarro <[hidden email]> ha scritto:
Hi David,

thanks for your quick response! Not my problem is that the resulting content seems not a valid P7M file. The program code:


Il giorno gio 21 lug 2016 alle ore 09:50 David Hook <[hidden email]> ha scritto:

JcaContentSignerBuilder doesn't require access to the encoding of the
private key, it just requires the handle to it, providing the builder is
set to use the same provider the key is from.

Regards,

David

On 21/07/16 16:26, Raffaele Sgarro wrote:
> I'm using the Java builtin PKCS11 API and can't find a way to sign a
> String with bouncycastle.
>
> The entry point should be CMSSignedDataGenerator, but I don't know how
> to build one without a ContentSigner, which in turn needs a private
> key, that is not extractable from the hardware device.
>
> Can anybody point me to the right way of taking a String (XML),
> signing it with the hardware token (PKCS11) and finally flushing
> everything to a P7M file?
>
> Thanks,
> Raffaele



Loading...