Hi All,

I am designing signer tool for which the steps are as below:

1. Use a PKCS keystore (pfx file) (as specified by the certificate vendor)
2. Specify the Signature Algorithm (SHA256WITHRSA)
3. Read the file from system (original file)
4. Use Bouncy Castle provider to create CSM/PKCS#7 signed message.
5. Create an instance of Bouncy Castle's CMSSignedDataGenerator call addSigner API by passing Private key, Certificate and Digest Algorithm(SHA256WITHRSA)
6. Create instance of CMSSignedData and signed the original content by it. Here you need to use CMSProcessable Class in JAVA API to sign the original content.
Calls generate method of CMSSignedData API by passing cmsdata (i.e. output got after step 5, false, and “Provider Name” (i.e. BC in this case).
7. Now encode the signature with Base64 encoder
8. Extract the public key certificate from the keystore and encode it to Base64.
9. Encode the Original file also into Base64
10. Preparing XML of the signed file as mentioned follows.

Signed Envelope has following three components:

1. OrgContent- Original data is encoded in Base64.
2. Signature- Generate detached signed data by using the Private key and Certificate. SHA256 Digest Algorithm is used. DER Encoded signed data is retrieved from the signed data and Base64 encoded.
3. Certificate- Certificate matching the above signer id is retrieved from the store and Base64 encoded.

Does anyone have any idea regarding this?