BouncyCastle & multiple signatures

fulgerica · August 30th, 2007, 01:16 AM

Hello, everybody!
I have a signed document, in p7m format- the document & the signature in one single file. What I have to do in order to sign that document with another signature using BouncyCastle? The old signature must remain in the file and the new one should be added; my p7m file will have 2 signatures attached, so when I read with some program that allows me to view certificates, both certificates should be displayed.

Thank you very much!

dgh · August 30th, 2007, 01:31 AM

CMSSignedDataGenerator has an addSigners() method which allows you to add a SignerInformationStore containing signers generated by other parties. You can use this to use the generator to resign the document and use addSigners() to add the old signer objects as well. This will result in a CMSSignedData object with both signers present. You'll need to copy the other signers certificates across as well if you want them included.

Regards,

David

fulgerica · August 30th, 2007, 05:18 AM

And how can I create a SignerInformationStore from my p7m file containing the old signers?

Maybe using getSignerInfos() method of the CMSSignedData ?

Thank you,
Alex

dgh · August 30th, 2007, 06:13 AM

Wrap it in a CMSSignedData object. There's a method on it for getting the signer information.

Regards,

David

fulgerica · August 31st, 2007, 07:29 AM

I have the following method:

private static void addSigner(CertStore certs){
        //generate signer
        CMSSignedDataGenerator signGen = new CMSSignedDataGenerator();
        signGen.addSigner(pk3, certificate3, CMSSignedDataGenerator.DIGEST_SHA1);

        byte[] buffer=loadFile();

        //get data
        CMSSignedData signedData=null;
        try{
            signedData = new CMSSignedData(buffer);
        }catch(Exception exc){
            exc.printStackTrace();
        }

        if (signedData!=null){
            try{
                SignerInformationStore signers=signedData.getSignerInfos();
                CertStore existingCerts=signedData.getCertificatesAndCRLs("C ollection", "BC");
                X509Store x509Store=signedData.getAttributeCertificates("Col lection", "BC");

                //add new certs
                signGen.addCertificatesAndCRLs(certs);
                //add existing certs
                signGen.addCertificatesAndCRLs(existingCerts);
                //add existing certs attributes
                signGen.addAttributeCertificates(x509Store);
                //add existing signers
                signGen.addSigners(signers);

            }catch(Exception exc){
                exc.printStackTrace();
            }
            CMSProcessable content = new CMSProcessableByteArray(buffer);
            try{
                signedData = signGen.generate(content, true, "BC");
                byte[] signeddata = signedData.getEncoded();
                saveFile(signeddata, OUTPUT_FILENAME);
            }catch(Exception exc){
                exc.printStackTrace();
            }
        }
    }

The signed data, initially contains 2 signatures, both of them do verify just fine. The above code adds a third signature and works just fine. The problem is when I'm trying to verify the newly generated file, I get the following error:

org.bouncycastle.cms.CMSException: invalid signature format in message: content hash found in signed attributes different
    at org.bouncycastle.cms.SignerInformation.doVerify(Un known Source)
    at org.bouncycastle.cms.SignerInformation.verify(Unkn own Source)
    at main.BouncyCastleVerify.main(BouncyCastleVerify.ja va:135)

Here is my verification code:
//load signed file
            File f = new File(INPUT_FILENAME);
            byte[] buffer = new byte[(int)f.length()];
            DataInputStream in = new DataInputStream(new FileInputStream(f));
            in.readFully(buffer);
            in.close();

            CMSSignedData signature = new CMSSignedData(buffer);

            // batch verification
            CertStore certs = signature.getCertificatesAndCRLs("Collection", "BC");
              SignerInformationStore signers = signature.getSignerInfos();
              Collection c = signers.getSigners();
              Iterator it = c.iterator();

              int verified=0;
              while (it.hasNext())
              {
                  SignerInformation signer = (SignerInformation)it.next();
                  Collection certCollection = certs.getCertificates(signer.getSID());

                  Iterator certIt = certCollection.iterator();
                  X509Certificate cert = (X509Certificate)certIt.next();
                  System.out.println(verified);
                  if (signer.verify(cert.getPublicKey(),"BC"))
                  {
                      verified++;
                  }
              }
              System.out.println(verified);

fulgerica · August 31st, 2007, 07:51 AM

problem solved

I was processing the wrong content

instead of CMSProcessable content = new CMSProcessableByteArray(buffer);

I should have had
CMSProcessable content= signedData.getSignedContent();

Thank you very much for your support,
Alex