Handling large amount of data for signing and enveloping

Musashi · February 8th, 2010, 06:12 AM

Hi!

I'm writing a file signer/enveloper that does just fine when working with small files. The problem appears when I try to sign/envelop large files and the console gives me "failed: java.lang.OutOfMemoryError: Java heap space".

Anyone knows how to work this around? Here's a piece of my code for signing:

Code:

try {
             Certificate cert = keyStore.getCertificate(alias);
             PrivateKey key = (PrivateKey) keyStore.getKey(alias, null);
             Certificate[] chain = keyStore.getCertificateChain(alias);
             CertStore certStore = CertStore.getInstance("Collection",new CollectionCertStoreParameters(Arrays.asList(chain)));
             CMSSignedDataGenerator sdatagen = new CMSSignedDataGenerator();
             sdatagen.addSigner(key, (X509Certificate) cert, CMSSignedDataGenerator.DIGEST_SHA1);
             sdatagen.addCertificatesAndCRLs(certStore);            
             CMSSignedData sdata = sdatagen.generate(new CMSProcessableFile(arq, 16384), true, "SunPKCS11-iKey2032");
             Security.removeProvider(provider.getName());

Thank you!

Musashi · February 8th, 2010, 02:12 PM

Hi,

Instead of using the CMSSignedDataGenerator I tried the CMSSignedDataStreamGenerator and it appears to handle large files just fine.

After the signature is generated, the content hash does not match the original content. What am I doing wrong? Here`s a piece of the new code:

Code:

int buff = 16384;
             byte[] buffer = new byte[buff];
             int unitsize = 0;
             long read = 0;
             long offset = arq.length();
             FileInputStream is = new FileInputStream(arq);
             FileOutputStream bOut = new FileOutputStream("teste.p7s");
             Certificate cert = keyStore.getCertificate(alias);
             PrivateKey key = (PrivateKey) keyStore.getKey(alias, null);
             Certificate[] chain = keyStore.getCertificateChain(alias);
             CertStore certStore = CertStore.getInstance("Collection",new CollectionCertStoreParameters(Arrays.asList(chain)));
             CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator();
             gen.addSigner(key, (X509Certificate) cert, CMSSignedDataGenerator.DIGEST_SHA1, "SunPKCS11-iKey2032");
             gen.addCertificatesAndCRLs(certStore);
             OutputStream sigOut = gen.open(bOut,true);

             while (read < offset) {
                 unitsize = (int) (((offset - read) >= buff) ? buff : (offset - read));
                 is.read(buffer, 0, unitsize);
                 sigOut.write(buffer);
                 read += unitsize;
             }
             sigOut.close();
             bOut.close();
             is.close();

Thanks!

dgh · February 8th, 2010, 08:22 PM

Yes, the streaming API is the way to go.

The use of the generator looks basically correct, but the read loop is wrong - to start with it assumes buffer is full after each read. Try something like

Code:

int len = 0;

while ((len = is.read(buffer, 0, buffer.length)) > 0)
{
    sigOut.write(buffer, 0, len);
}

Regards,

David

Musashi · February 9th, 2010, 05:58 AM

Thanks David! It worked!

I've got another question:

Do you know if there's any way to retrieve the digest from the signed content using CMSSignedDataParser? Or do I have to retrieve the content and calculate the hash again?

dgh · February 9th, 2010, 07:16 AM

SignerInformation.getContentDigest() will return the digest value after verify is called.

Regards,

David