java - 如何使用 bouncycastle 将 X509 证书转换为 PKCS7？

Question

大家好！我的问题如下：我正在尝试将 X509 证书加密为 PKCS7，但我收到错误的结果。

第一次尝试是：（用过bcmail-jdk16:1.46）

            Security.addProvider(new BouncyCastleProvider());

            keystore = KeyStore.getInstance("PKCS12", "BC");
            keystore.load (new FileInputStream(PATH+"//pkcs7-csr-cer//identity.p12"), "testpassword".toCharArray());
            PrivateKey privateKey = (PrivateKey)keystore.getKey("testclientcert", "testpassword".toCharArray());

            CMSSignedDataGenerator signedDataGen = new CMSSignedDataGenerator();

            signedDataGen.addSigner(privateKey, certificate, CMSSignedDataGenerator.ENCRYPTION_RSA, CMSSignedDataGenerator.DIGEST_SHA256);
            CMSProcessableFile pkcs7 = new CMSProcessableFile(new File(destinationfile));
            CMSSignedData signedData = signedDataGen.generate(pkcs7, true, "BC");
            signedData = new CMSSignedData(pkcs7, signedData.getEncoded());

......它不起作用。

第二次尝试是 next（使用 bcmail-jdk16-140）：

        Security.addProvider(new BouncyCastleProvider());

        CMSEnvelopedDataGenerator envDataGen = new CMSEnvelopedDataGenerator();
        envDataGen.addKeyTransRecipient(certificate);

        CMSProcessable sData = new CMSProcessableByteArray(certificate.getEncoded());
        CMSEnvelopedData enveloped = envDataGen.generate(sData, CMSEnvelopedDataGenerator.AES256_CBC, "BC");
        return enveloped.getEncoded();

在这两种情况下我都会得到错误的结果。请帮助谁知道正确的方法。谢谢！

Answer 1

我找到了解决方案！

    private byte[] encryptCertToPKCS7(X509Certificate certificate, Key key) 
                throws CertificateEncodingException, CMSException, NoSuchProviderException, NoSuchAlgorithmException, IOException, OperatorCreationException {
        CMSSignedDataGenerator generator = new CMSSignedDataGenerator();

        ContentSigner sha256Signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build((PrivateKey) key);
        generator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder()
                                                                               .setProvider("BC").build())
                                                                              .build(sha256Signer, certificate));
        generator.addCertificates(new JcaCertStore(certificates));
        CMSTypedData content = new CMSProcessableByteArray(certificate.getEncoded());

        CMSSignedData signedData = generator.generate(content, true);
        return signedData.getEncoded();
    }