CMS/PKCS7 Signed, Enveloped and Encrypted Message questions and issues
I am attempting to create a signed, enveloped and encrypted CMS/PKCS7 message using Bouncy Castle. I am first creating the signed message, which then becomes the content of the enveloped message (based on what I have been able to glean from developer forums, blogs, etc., this is the correct approach when using Bouncy Castle). Until I am able to complete the unit testing/proof of concept of the code (createSignedmessage method below), I have several questions about this implementation:
1. Does the encryption of the content occur automatically when the generate method of the CMSSignedDataGenerator and CMSEnvelopedDataGenerator is executed?
2. Is the encryption of the content symmetric, using a temporary session/secret key that is automatically created and encrypted with the recipient�s public key?
3. If the creation and encryption of the session/secret key is not handled automatically, how and where is a session key, created ahead of time, included in the CMS envelope (the addKEKRecipient and addKeyTransRecipient seem to be mutually exclusive)?
4. The following exception is thrown when I attempt to sign the content, preventing me from proceeding with my unit testing/proof of concept. Any ideas as to the cause and resolution?
java.security.NoSuchAlgorithmException: class configured for Signature(provider: BC)cannot be found. org.bouncycastle.jce.provider.JDKDigestSignature$SHA1WithRSAEncryption
public String createSignedMessage(byte[] dataParm) {
byte[] signedByteData = null;
String encodedData = null;
X509Certificate ourCert = null;
X509Certificate theirCert = null;
CMSProcessable signContent, envContent = null;
KeyStore keystore = null;
PrivateKey priv = null;
char[] passPhrase = "storepass".toCharArray();
char[] keyPassPhrase = "keypass".toCharArray();
String privateKeyAlias = "privatealias";
String ourAlias = "ourcertalias";
String theirAlias = "theircertalias";
String keyStore = �keystore.jks";
try{
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keyStore),passPhrase);
priv = (PrivateKey)(keystore.getKey(privateKeyAlias, keyPassPhrase));
ourCert = (X509Certificate)keystore.getCertificate(ourAlias);
theirCert = (X509Certificate)keystore.getCertificate(theirAlias);
}
catch(Exception exc){
System.out.println("Problem with keystore access: " + exc.toString()) ;
return exc.getMessage();
}
// Use Bouncy Castle provider to create CSM/PKCS#7 signed message ---
try{
CMSSignedDataGenerator signGen = new CMSSignedDataGenerator();
signGen.addSigner(priv, ourCert, CMSSignedDataGenerator.DIGEST_SHA1);
signContent = new CMSProcessableByteArray(dataParm);
CMSSignedData signedData = signGen.generate(signContent,"BC");
signedByteData = signedData.getEncoded();
encodedData = new BASE64Encoder().encode(signedByteData);
}
catch(Exception ex){
System.out.println("Couldn't generate CMS signed message\n" + ex.toString()) ;
ex.printStackTrace();
}
// Use Bouncy Castle provider to create CSM/PKCS#7 enveloped message ---
try{
String algorithm = CMSEnvelopedDataGenerator.AES128_CBC;
int keysize = 128; // bits
CMSEnvelopedDataGenerator envGen = new CMSEnvelopedDataGenerator();
envGen.addKeyTransRecipient(theirCert);
envContent = new CMSProcessableByteArray(signedByteData);
CMSEnvelopedData envData = envGen.generate(envContent, algorithm, keysize, "BC");
signedByteData = envData.getEncoded();
encodedData = new BASE64Encoder().encode(signedByteData);
}
catch(Exception ex){
System.out.println("Couldn't generate CMS enveloped message\n" + ex.toString()) ;
ex.printStackTrace();
}
return encodedData;
}
Thanks in advance