bouncycastle Archives

[Solved] Cannot verify signature (cmssigneddata) bouncycastle

January 20, 2023 by Kirat

You need to add the certificate to a org.bouncycastle.util.CollectionStore, and add this store to the signature. I’m using BouncyCastle 1.56: import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.util.CollectionStore; // add these lines after gen.addSignerInfoGenerator(…) // cert is your X509Certificate X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded()); CollectionStore<X509CertificateHolder> certStore = new CollectionStore<>(Collections.singletonList(holder)); gen.addCertificates(certStore); // add the store to the signature The CollectionStore … Read more

[Solved] Validate names against Name Constraints extension of a X509Certificate CA [closed]

November 24, 2022 by Kirat

Even though I could see the JDK has decent APIs for this, they are all internal. So I ended up using Bouncy Castle. public boolean validateAgainstNamingConstraints(X509Certificate certificate, GeneralName name) { NameConstraints nameConstraints = null; try { nameConstraints = NameConstraints.getInstance( JcaX509ExtensionUtils.parseExtensionValue(certificate.getExtensionValue(Extension.nameConstraints.getId()))); } catch (IOException e) { log.warn(“Failed to parse name constraint. Skipping validation. {}”, e.getMessage()); return … Read more