Home/ Questions/Q 9149997
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T11:33:13+00:00

According to several posts I’ve found out it’s now possible to perform CAdES using

  • 0

According to several posts I’ve found out it’s now possible to perform CAdES using BouncyCastle but there is hardly any documentation on the topic.

For starters I want to perform CAdES-BES without any optional signed attributes on a file with a file based certificate.

In response to dander:

I have something that might be helpful, you have your SignerInformation, you need to extend it, first you need to create an attribute from the timestamp, I’ll assume you already have a TimeStampResponse as tspResp 

TimeStampToken token = tsresp.getTimeStampToken();

Attribute timeStamp = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, new DERSet(ASN1Object.fromByteArray(token.getEncoded())));

Then you need to extend your SignerInformation

AttributeTable unsigned = signerInformation.getUnsignedAttributes();
Hashtable<ASN1ObjectIdentifier, Attribute> unsignedAttrHash = null;
if (unsigned == null) {
    unsignedAttrHash = new Hashtable<ASN1ObjectIdentifier, Attribute>();
} else {
    unsignedAttrHash = signerInformation.getUnsignedAttributes().toHashtable();
}

unsignedAttrHash.put(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, signatureTimeStamp);

SignerInformation newsi = SignerInformation.replaceUnsignedAttributes(si, new AttributeTable(
        unsignedAttrHash));

I think that’s about it.

Here is how I got the signin-certificate attribute

Attribute signingCertificateAttribute;
MessageDigest dig = MessageDigest.getInstance(DigestAlgorithm().getName(),
    new BouncyCastleProvider());

byte[] certHash = dig.digest(SigningCertificate().getEncoded());

if (DigestAlgorithm() == DigestAlgorithm.SHA1) {
    SigningCertificate sc = new SigningCertificate(new ESSCertID(certHash));

    signingCertificateAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(sc));

} else {
    ESSCertIDv2 essCert = new ESSCertIDv2(new AlgorithmIdentifier(DigestAlgorithm().getOid()), certHash);
    SigningCertificateV2 scv2 = new SigningCertificateV2(new ESSCertIDv2[] { essCert });

    signingCertificateAttribute =  new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2));
}

Hope it helps

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    CAdES is an extension of CMS (aka PKCS7), which is possible to do with BouncyCastle. RFC5126 contains everything needed for a CAdES signature, also, I recommend lookup info on ASN.1 since most of the parts are described in that format.

    I am currently in hunt for the same answer you are looking for and found that the book Beginning Cryptography with Java by David Hook gives a lot of detailed information you might need.

    • 0