Bouncy Castle i cannot get all certificate

问题

I'm trying to read certificate from smime.p7s file, the certificate chain is:

Baltimora Cyber Trust --> DigitPA --> Aruba PEC

So when i'm trying to extract, I retrieve only the last two certificate, the last like subject and the first like issuer. What am I wrong?

the code:

private List<CertificateInfo> reading(ASN1InputStream asn1Stream) throws IOException, CMSException, CertificateException {
        ArrayList<CertificateInfo> infos = new ArrayList<CertificateInfo>();
        ASN1Primitive obj = asn1Stream.readObject();
        ContentInfo contentInfo = ContentInfo.getInstance(obj);
        CMSSignedData cms = new CMSSignedData(contentInfo);
        JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
        Store store = cms.getCertificates();
        SignerInformationStore signersInfoStore = cms.getSignerInfos();
        Collection<SignerInformation> signers = signersInfoStore.getSigners();
        logger.debug("signers num [" + signers.size() + "]");
        for (SignerInformation si : signers) {
            SignerId sid = si.getSID();
            Collection<X509CertificateHolder> holders = store.getMatches(sid);
            logger.debug("holders num [" + holders.size() + "]");
            for (X509CertificateHolder certholder : holders) {
                X509Certificate cert = converter.getCertificate(certholder);
                logger.debug("Issuer [" + cert.getPublicKey() + "]");
                CertificateInfo certInfo = util.parse(cert);
                infos.add(certInfo);
            }
        }
        return infos;
    }

I'm using these bouncy castle jar like dependecies:

        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcprov-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcmail-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcpg-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcpkix-jdk15</artifactId>
            <version>150</version>
        </dependency>

thanks in advance.

回答1:

Probably nothing is wrong. PKI works with a tree-like structure. It is possible to trust Aruba PEC using DigitPA. But how can you trust DigitPA? The most common method is to store the root certificate in a trust store. This trust store is e.g. distributed by the application (like the trust store within web browsers).

Now if the Baltimora Cyber Trust is already in the trust store, there is no need to send it within the PKCS#7 container. The certificate chain can be constructed to the trusted root without it.

So you either read the cert from the trust store directly, or you retrieve the root cert from the certificate chain created for verification.

来源：https://stackoverflow.com/questions/22202771/bouncy-castle-i-cannot-get-all-certificate