Trusting Your E-mail with Java Security

By Theodore J. Shrader
2003-12-04

Using PKCS and S/MIME

We've shown how to sign data using objects and algorithms in the JCA, but what about a higher level application of using public and private keys? Our earlier example centered on sending and receiving a signed message. To accomplish this, we need to build upon the technology and algorithms of public and private keys and utilize the Public Key Cryptography Standards (PKCS) and Secure/Multipurpose Internet Mail Extension (S/MIME) standards.

In the early 1990s, RSA and a consortium of companies created the PKCS standards to encompass the different technologies that used public keys. PKCS #7, Cryptographic Message Syntax (CMS), defines how the various objects that compose signed data should be packaged for interoperability. Note that we could accomplish signing data without the PKCS standards, but we don't have a standard way for all parties to group together the different objects and encode and decode them for interoperability. The SignedData object defines how the original message, the signing certificate(s), and the signature information should be packaged together. The S/MIME standards build upon the PKCS standards, primarily PKCS #7, to define how SignedData should be sent using the MIME standards already established.

The following Java pseudocode shows how much easier it is to sign and verify data using the PKCS #7 SignedData object than with the fundamental security objects available with the JCA.





// Signing data

  // Encapsulate the data to sign.

  Data data = new Data();

  data.setBytes(message);

  ContentInfo ci = new ContentInfo(data);

  // Create the SignedData object

        // and generate the signature at the same time.

  SignedData sd = new SignedData(ci, signingCert,

          signingPrivateKey, signingAlgorithm);

  // Verifying data

  // Verify the SignedData signature by retrieving one of the

  // signing certificates.  (The SignedData object could store

  // more than one signature depending upon the number of different

  // signers of the content.)

  // The issuerAndSerialNumber corresponds to the unique identifier

  // of a certificate (its IssuerDN and SerialNumber).

  Certificate cert = sd.getCertificate(issuerAndSerialNumber);

  // PKCS method extracts the public key from the certificate.

  // The SignedData object already contains the original content

  // and algorithms used to create the signature.

  if (sd.verify(cert)) {

          System.out.println("SignedData verified.");

      }

PKCS and S/MIME support is not yet a standard part of the Java Runtime Environment (JRE). Different companies currently provide their own classes and methods to implement PKCS and S/MIME in the Java language. IBM, Sun, and the Java community are working together to include PKCS as part of the JRE base classes. This effort will make the PKCS security technologies more of a commodity, allowing all Java developers to have a standard set of classes and methods with which to write and deliver successful e-business applications.

Tutorial Pages:
» Java technologies give you a complete and secure solution
» Security requirements
» Failing scenarios
» Building closed systems
» Using a secret key
» Opening the message
» Public and private keys
» Signing a message
» Signing messages with Java technologies
» Using PKCS and S/MIME
» Encrypting messages
» Conclusion

First published by IBM DeveloperWorks

Related Tutorials:
» All about JAXP, Part 1
» Make Database Queries Without the Database
» Load List Values for Improved Efficiency
» 2 Ways To Implement Session Tracking
» A Simple Way to Read an XML File in Java
» Develop Aspect-Oriented Java Applications with Eclipse and AJDT