使用 EC X509 证书加密电子邮件
我正在尝试使用 BouncyCastle 的 SMIME 包来使用 ECDSA X509 证书创建加密消息。根据 BouncyCastle 的发行说明,从 1.32 开始就支持这一点(我使用的是 1.46),但我不断收到异常,指出找不到 ECDSA OID 的密码。
org.bouncycastle.cms.CMSException:异常包装内容键: 无法创建密码:找不到任何提供者支持 1.2.840.10045.2.1
这是我正在使用的测试证书之一的片段我用来
Version: V3
Subject: [email protected]
Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
Key: EC Public Key
创建加密消息的代码如下所示:
// allow the use of the BC JCE
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
SMIMEEnvelopedGenerator gen = new SMIMEEnvelopedGenerator();
JceKeyTransRecipientInfoGenerator rig = new JceKeyTransRecipientInfoGenerator(cert);
gen.addRecipientInfoGenerator(rig);
MimeBodyPart msg = new MimeBodyPart();
msg.setText(message);
MimeBodyPart mp = gen.generate(
msg,
new JceCMSContentEncryptorBuilder(
CMSAlgorithm.AES128_CBC).setProvider("BC").build());
Properties props = System.getProperties();
Session session = Session.getDefaultInstance(props, null);
// TODO: This is incorrect. Perhaps AKA is better?
String to = cert.getSubjectDN().getName();
Address fromUser = new InternetAddress(from);
Address toUser = new InternetAddress(to);
MimeMessage body = new MimeMessage(session);
body.setFrom(fromUser);
body.setRecipient(Message.RecipientType.TO, toUser);
body.setSubject("example encrypted message");
body.setContent(mp.getContent(), mp.getContentType());
body.saveChanges();
body.writeTo(new FileOutputStream(filename));
我确信我正在做一些明显错误的事情,但我没有看到就现在。有什么想法吗?
I'm trying to use BouncyCastle's SMIME package to create an encrypted message using ECDSA X509 certificates. According to BouncyCastle's release notes, this has been supported since 1.32 (I'm using 1.46), but I keep getting an exception stating that no cipher can be found for the ECDSA OID.
org.bouncycastle.cms.CMSException: exception wrapping content key:
cannot create cipher: Cannot find any provider supporting
1.2.840.10045.2.1
Here is a snippet from one of the test certificates I am using
Version: V3
Subject: [email protected]
Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
Key: EC Public Key
The code I am using to create the encrypted message looks like this:
// allow the use of the BC JCE
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
SMIMEEnvelopedGenerator gen = new SMIMEEnvelopedGenerator();
JceKeyTransRecipientInfoGenerator rig = new JceKeyTransRecipientInfoGenerator(cert);
gen.addRecipientInfoGenerator(rig);
MimeBodyPart msg = new MimeBodyPart();
msg.setText(message);
MimeBodyPart mp = gen.generate(
msg,
new JceCMSContentEncryptorBuilder(
CMSAlgorithm.AES128_CBC).setProvider("BC").build());
Properties props = System.getProperties();
Session session = Session.getDefaultInstance(props, null);
// TODO: This is incorrect. Perhaps AKA is better?
String to = cert.getSubjectDN().getName();
Address fromUser = new InternetAddress(from);
Address toUser = new InternetAddress(to);
MimeMessage body = new MimeMessage(session);
body.setFrom(fromUser);
body.setRecipient(Message.RecipientType.TO, toUser);
body.setSubject("example encrypted message");
body.setContent(mp.getContent(), mp.getContentType());
body.saveChanges();
body.writeTo(new FileOutputStream(filename));
I'm sure I'm doing something obviously wrong, but I'm not seeing it right now. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
正如 Thomas Pornin 所建议的(上文),需要使用 ECDH 来完成这项工作。因此,有必要使用 JceKeyAgreeRecipientInfoGenerator,而不是使用 JceKeyTransRecipientInfoGenerator。
As Thomas Pornin suggested (above), ECDH needed to be used to make this work. So instead of using a JceKeyTransRecipientInfoGenerator, it was necessary to use a JceKeyAgreeRecipientInfoGenerator.
ECDSA 是一种签名算法,而不是加密或密钥交换算法。为了加密消息,您需要收件人的 RSA 或 Diffie-Hellman 密钥(可能是 ECDH)。
ECDSA is a signature algorithm, not an encryption or key exchange algorithm. In order to encrypt a message, you need the recipient's RSA or Diffie-Hellman key (possibly ECDH).