Signature verification only with Java.

[denv77]

Hi.
Please, help.
How can i verify signature only with Java?

I try this:

    BouncyCastleProvider prov = new BouncyCastleProvider();
    File file = new File("C:\\Windows\\SysWOW64\\jcPKCS11-2.dll");
    PEFile pef = new PEFile(file);
    List<CMSSignedData> signedDataList = pef.getSignatures();
    CMSSignedData cms = signedDataList.get(0);
    Store store = cms.getCertificates();
    SignerInformationStore signers = cms.getSignerInfos();
    Collection c = signers.getSigners();
    Iterator it = c.iterator();
    while (it.hasNext()) {
        SignerInformation signer = (SignerInformation) it.next();
        Collection certCollection = store.getMatches(signer.getSID());
        Iterator certIt = certCollection.iterator();
        X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
        X509Certificate cert = new JcaX509CertificateConverter().setProvider(prov).getCertificate(certHolder);
        SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(prov).build(cert);
        System.out.println(signer.verify(siv));
    }

but I get an error:

Exception in thread "main" java.lang.NullPointerException
at org.bouncycastle.cms.CMSSignedData$1.write(Unknown Source)
at org.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
at org.bouncycastle.cms.SignerInformation.verify(Unknown Source)
at ru.centerinform.crypto.Main.main(Main.java:86)

[ebourg]

I don't know sorry, but if you find out I can add a verify feature to jsign.

[denv77]

Thanks for the answer. I'll try to find out.

[denv77]

Hi.
Tell me please, why SHA1 digests do not equals?

I do this:

    BouncyCastleProvider prov = new BouncyCastleProvider();

    File file = new File("D:\\WORK\\PE Signature\\dll\\jcPKCS11-2-x32.dll");
    PEFile pef = new PEFile(file);
    byte[] psha1 = pef.computeDigest(DigestAlgorithm.SHA1);
    System.out.println("pef " + Arrays.toString(psha1));

    List<CMSSignedData> signedDataList = pef.getSignatures();
    CMSSignedData cms = signedDataList.get(0);
    Store store = cms.getCertificates();
    SignerInformationStore signers = cms.getSignerInfos();
    Collection c = signers.getSigners();
    Iterator it = c.iterator();
    while (it.hasNext()) {
        SignerInformation signer = (SignerInformation) it.next();
        byte[] signature = signer.getSignature();
        Collection certCollection = store.getMatches(signer.getSID());
        Iterator certIt = certCollection.iterator();
        X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
        X509Certificate cert = new JcaX509CertificateConverter().setProvider(prov).getCertificate(certHolder);
        Cipher rsa = Cipher.getInstance("RSA");
        rsa.init(Cipher.DECRYPT_MODE, cert.getPublicKey());
        byte[] sha1 = rsa.doFinal(signature);
        DigestInfo di = DigestInfo.getInstance(sha1);
        System.out.println("SHA1 OID must be 1.3.14.3.2.26 [" + di.getAlgorithmId().getAlgorithm() + "]");
        byte[] dis = di.getDigest();
        System.out.println("dis " + Arrays.toString(dis));
    }

and the result is:

pef [103, 34, 54, 76, -12, 57, 37, 23, 36, 77, 71, -97, 114, -77, 48, 15, -16, -116, -61, -38]
SHA1 OID must be 1.3.14.3.2.26 [1.3.14.3.2.26]
dis [22, -126, -63, -16, 16, -109, -66, 83, 55, -127, -7, -100, 126, -41, -71, -77, 82, 59, -43, -98]

[ebourg]

Because PEFile.computeDigest() checksums only the file. The signatures contains a different checksum of a structure (SpcIndirectDataContent) that contains the checksum of the file.

[jesselandman]

@denv77 did you ever figure this out? I require the same functionality (verification/validation of the signature) and I am in the same place.

I've tried using @ebourg 's suggestions here:

#29

But I'm not sure if I'm grabbing the original data correctly.

[denv77]

@jesselandman Hi.
Sorry that it's so late?
My research dragged on and I was switched to another project.
But I still want to do this :)
Please let me know if you move forward in this matter.