I'm trying to generating a Signed CSR Using Bouncy Castle fips library with a private key present in USB token.
Currently bouncy castle is not providing a option to attach the signature bytes(generated using USB token) to pkcs10certificationRequest.
how can i achieve this using bouncy castle library.??
I'm using a PKCS10CertificationRequest object to generate a Signed CSR, which is expecting ContentSigner object as a input, so i created my own contentsigner by implementing the methods 1. getSignature(). 2. getoutputstream(). 3. getalgorithmidentifier().
Where getsignature function is invoking the PKCS11 library calls to generate a signature using x500Name and public key as a input and signing the input data using private key present in token.
using this flow i can generate a signed CSR, but when i tried to validate the generated signed CSR using isvalid() function its throwing an error "Invalid Signature"
Using following code for generating signed CSR Using bouncy castle with PKCS11 library:
where
publicKeyInfo is a public key retrieved from usb token.
signingPrivKey is a handle for the private key present in usb token.
CertificationRequestInfo certificateRequestInfo = new CertificationRequestInfo(subject, publicKeyInfo, new DERSet());
ContentSigner contentSigner = new ContentSigner() {
@Override
public byte[] getSignature()
{
try
{
PrivateKey signingPrivKey = null;
RSAPrivateKey templateForSignKey = new RSAPrivateKey();
templateForSignKey.getId().setByteArrayValue(id);
session.findObjectsInit(templateForSignKey);
Object[] privKeyObjects = session.findObjects(1);
if (privKeyObjects.length > 0)
{
signingPrivKey = (PrivateKey) privKeyObjects[0];
}
session.findObjectsFinal();
ByteArrayInputStream dataInputStream = new ByteArrayInputStream(certificateRequestInfo.getEncoded());
MessageDigest digestEngine = MessageDigest.getInstance("SHA-256", "BCFIPS");
Mechanism signatureMechanism = Mechanism.get(PKCS11Constants.CKM_RSA_PKCS);
//Initialize for signing
session.signInit(signatureMechanism, signingPrivKey);
byte[] dataBuffer = new byte[1024];
int bytesRead;
// feed all data from the input stream to the message digest
while ((bytesRead = dataInputStream.read(dataBuffer)) >= 0)
{
digestEngine.update(dataBuffer, 0, bytesRead);
}
byte[] digest = digestEngine.digest();
byte[] signatureValue = session.sign(digest);
return signatureValue;
}
catch (TokenException e)
{
setMsg(e.getMessage());
}
catch (NoSuchAlgorithmException e)
{
setMsg(e.getMessage());
}
catch (FileNotFoundException e)
{
setMsg(e.getMessage());
}
catch (IOException e)
{
setMsg(e.getMessage());
}
return null;
}
@Override
public OutputStream getOutputStream()
{
return null;
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier()
{
AlgorithmIdentifier algorithmIdentifier = new DefaultSignatureAlgorithmIdentifierFinder().find(hashingAlgo);
return algorithmIdentifier;
}
};
AlgorithmIdentifier algorithmId = contentSigner.getAlgorithmIdentifier();
byte[] signData = contentSigner.getSignature();
DERBitString derBitStr = new DERBitString(signData);
CertificationRequest certReq = new CertificationRequest(certificateRequestInfo, algorithmId, derBitStr);
PKCS10CertificationRequest pkcs10Req = new PKCS10CertificationRequest(certReq);
