How to Generate Signed Data (PKCS#7)

Java Code for All API Methods

public static String getSigndata(byte[] tbs, String path, String pin) throws Exception {
    Security.addProvider(new BouncyCastleProvider());

    FileInputStream fis = new FileInputStream(path);
    KeyStore ks = KeyStore.getInstance("pkcs12");
    ks.load(fis, pin.toCharArray());
    String alias = ks.aliases().nextElement();

    Certificate[] certificateChain = ks.getCertificateChain(alias);
    PrivateKey privateKey = (PrivateKey) ks.getKey(alias, pin.toCharArray());
    X509Certificate certificate = (X509Certificate) ks.getCertificate(alias);

    CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
    generator.addSigner(privateKey, certificate, CMSSignedDataGenerator.DIGEST_SHA256);

    ArrayList list = new ArrayList();
    for (int i = 0; i < certificateChain.length; i++) {
    CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), new BouncyCastleProvider());

    CMSProcessable content = new CMSProcessableByteArray(tbs);
    CMSSignedData signedData = generator.generate(content, true, new BouncyCastleProvider().getName());
    String pkcs7Data = new String(Base64.encode(signedData.getEncoded()));
    pkcs7Data = pkcs7Data.replaceAll("\\r|\\n", "");
    return pkcs7Data;

Use code with caution. Learn morecontent_copy

.NET Code for All API Methods

public String Signeddataraca(String tbsData,String PFXFilePath, String pin)
string Signeddataraca = string.Empty; Encryption oEncryption = new Encryption();
CryptoConfig.AddAlgorithm(typeof(Security.Cryptography.RSAPKCS1SHA256SignatureDes cription), "");

X509Certificate2 Cert = new X509Certificate2(PFXFilePath, pin, X509KeyStorageFlags.Exportable);
byte[] tbsBytes = Encoding.ASCII.GetBytes(tbsData);

RSACryptoServiceProvider key1 = (RSACryptoServiceProvider)Cert.PrivateKey;
RSAParameters rasparam = key1.ExportParameters(true);
AsymmetricCipherKeyPair keypair = Org.BouncyCastle.Security.DotNetUtilities.GetRsaKeyPair(rasparam);
AsymmetricKeyParameter privateKey = keypair.Private; RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
Org.BouncyCastle.X509.X509Certificate ce = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(Cert);
AsymmetricKeyParameter publicKey = ce.GetPublicKey(); CmsSignedDataGenerator generator = new CmsSignedDataGenerator(); generator.AddSigner(privateKey, ce, CmsSignedDataGenerator.DigestSha256);

var storeCerts = new List<Org.BouncyCastle.X509.X509Certificate>(); storeCerts.Add(ce);
var storeParams = new X509CollectionStoreParameters(storeCerts);
var certStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParams); generator.AddCertificates(certStore);

CmsProcessable content = new CmsProcessableByteArray(tbsBytes); CmsSignedData signeddata = generator.Generate(content, true); byte[] byteSignedData = signeddata.GetEncoded();
string encodedSigneddata = System.Convert.ToBase64String(byteSignedData); Signeddataraca = encodedSigneddata;
return Signeddataraca;
InputData TypeDescription


Byte Array

You need to pass TBS data which differs for each method

· TBS data will be CSR data, for createCertificate()

· TBS data will be (Subject DN details, key algorithm & size, PFX password) for createSoftTokenCert()

· TBS data will be Subject DN details, key algorithm & size, PFX password) should be signed by the PFX) for createSoftTokenCert()

· TBS data will be Certificate serial number for


· TBS data will be Certificate serial number for


TBS data will be Signed data for isSignatureValid()

PFX Path


You need to pass the path where PFX should be stored



You need to pass PFX password of Certificate

Last updated