certificate - BouncyCastle - signature algorithm in TBS cert not same as outer cert -
i'm trying validate certificate path , signature using bouncy castle apis.
and i'm getting following exception. have verified signature algorithm 'sha256withrsaencryption' same in certificates , issuer certificate.
any appreciated.
exception in thread "main" org.bouncycastle.jce.exception.extcertpathvalidatorexception: not validate certificate signature. @ org.bouncycastle.jce.provider.rfc3280certpathutilities.processcerta(unknown source) @ org.bouncycastle.jce.provider.pkixcertpathvalidatorspi.enginevalidate(unknown source) @ java.security.cert.certpathvalidator.validate(certpathvalidator.java:250) caused by: java.security.cert.certificateexception: signature algorithm in tbs cert not same outer cert @ org.bouncycastle.jce.provider.x509certificateobject.checksignature(unknown source) @ org.bouncycastle.jce.provider.x509certificateobject.verify(unknown source) @ org.bouncycastle.jce.provider.certpathvalidatorutilities.verifyx509certificate(unknown source) ... 6 more signing:
public byte[] sign(byte[] data) throws generalsecurityexception, cmsexception, ioexception { cmssigneddatagenerator generator = new cmssigneddatagenerator(); generator.addsigner(pk, (x509certificate) cert, cmssigneddatagenerator.digest_sha1); //also tried digest_sha256 generator.addcertificatesandcrls(getcertstore()); cmsprocessable content = new cmsprocessablebytearray(data); cmssigneddata signeddata = generator.generate(content, true, "bc"); return signeddata.getencoded(); } verification :
collectioncertstoreparameters params = new collectioncertstoreparameters(list); certstore store = certstore.getinstance("collection", params, "bc"); //create certificate path certificatefactory fact = certificatefactory.getinstance("x.509", "bc"); list<x509certificate> certchain = new arraylist<x509certificate>(); //create certificate chain for( int = 0; < list.size(); i++) certchain.add(list.get(i)); //create chain of certificates certpath certpath = fact.generatecertpath(certchain); set<trustanchor> trust = collections.singleton(new trustanchor(rootx509cert, null)); //get certificate path validator certpathvalidator validator = certpathvalidator.getinstance("pkix", "bc"); pkixparameters param = new pkixparameters(trust); param.setrevocationenabled(false); param.addcertstore(store); param.setdate(new date()); param.addcertpathchecker(new pathchecker()); //validate certificate path validator.validate(certpath, param);
i not sure problem of cms structure or cert path validation. think 1 of certificates erroneous.
the exception states in x509certificate (my guess signer certificate or in chain) value of certificate signaturealgorithm not same tbscertificate signature.
see http://tools.ietf.org/html/rfc5280#section-4.1:
certificate ::= sequence { tbscertificate tbscertificate, signaturealgorithm algorithmidentifier, <-- signaturevalue bit string } tbscertificate ::= sequence { version [0] explicit version default v1, serialnumber certificateserialnumber, signature algorithmidentifier, <-- issuer name, ...
Comments
Post a Comment