SignerID cast to X509CertSelector in BouncyCastle library

问题

I'm trying to verify if an specific message is signed with a valid signature from an entity certificate recognized by my own trust anchor. I'm doing this:

public static boolean isValid(CMSSignedData signedData, X509Certificate rootCert) throws Exception
{
    CertStore certsAndCRLs = signedData.getCertificatesAndCRLs("Collection", "BC");
    SignerInformationStore signers = signedData.getSignerInfos();
    Iterator it = signers.getSigners().iterator();

    if (it.hasNext()){
        SignerInformation signer = (SignerInformation)it.next();

        X509CertSelector signerConstraints = signer.getSID();

        PKIXCertPathBuilderResult result = buildPath(rootCert, signerID, certsAndCRLs);

        return signer.verify(result.getPublicKey(), "BC");
    }
    return false;
}

But this line is giving me a compile error:

X509CertSelector signerConstraints = signer.getSID();

Because it is unable to cast from SignerId to X509CertSelector. I tried using explicit cast:

X509CertSelector signerConstraints = (CertSelector) signer.getSID();

And:

X509CertSelector signerConstraints = (X509CertSelector) signer.getSID();

Without results. How can I do this? Thanks

PS: notice that this code is extracted from "Beginning Cryptography with Java" by David Hook, but it doesn't compile.

回答1:

I solved yesterday my own problem. I think that was something relative to .jar included as external archive to my project. Now, I'm using these:

bcprov-jdk16-145.jar
bcmail-jdk16-145.jar

Instead of:

bcprov-jdk15on-147.jar
bcmail-jdk15on-147.jar

Maybe the old versions didn't support this kind of implicit cast.

EDIT: David Hook's answer in http://bouncy-castle.1462172.n4.nabble.com/Problem-with-SignerID-and-X509CertSelector-td4620461.html

Use org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter - unfortunately the code in "Beginning Cryptography With Java" is now getting out of date. Guess I'll have to get the word processor out again.

Regards,

David

回答2:

Using BouncyCastle bcmail-jdk15on 1.52 I succeeded to do this using :

X509CertificateHolderSelector x509CertificateHolderSelector = new X509CertificateHolderSelector(info.getSID().getSubjectKeyIdentifier());
X509CertSelector certSelector = new JcaX509CertSelectorConverter().getCertSelector(x509CertificateHolderSelector);
@SuppressWarnings("unchecked")
Collection<X509Certificate> certCollection = (Collection<X509Certificate>) certs.getCertificates(certSelector);

来源：https://stackoverflow.com/questions/10517148/signerid-cast-to-x509certselector-in-bouncycastle-library