PKCS

Encryption Format

The PKCS#7 message format is defined in RFC 2315/5652.

The content encryption algorithm used is 'AES256/CBC/PKCS7Padding'.

The key encryption algorithm is 'RSAES-PKCS1-v1_5' (RSA/NONE/PKCS1Padding) or 'RSA/NONE/OAEPWithSHA256AndMGF1Padding' (with MGF1 using SHA-256), depending on TSP configuration, with an encryption certificate shared at the begining of the project.

The encryption result is encoded using base64 in order to be transported in the JSON message.

Certificate Exchange

The customer creates RSA 2048-bit or RSA 4096-bit key pair.
The customer generates a Certificate Signing Request (CSR) from that RSA key.
The customer sends to Thales project team the CSR in PEM format.

Code Sample

Here is a JAVA code sample that handles encryption/decryption of the PKCS#7 data using BouncyCastle library.

package com.gemalto.test.pkcs7;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.util.Collection;

import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.KeyTransRecipientInformation;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.bc.BcCMSContentEncryptorBuilder;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.util.encoders.Base64;

public class MainPKCS7 {

	private static final String DATA_TO_ENCRYPT = "{\"fpan\":\"4974013055554646\",\"exp\":\"0316\",\"cvv\":\"123\"}";

	private static BouncyCastleProvider bcProvider;
	private static PrivateKey privKey;
	private static PublicKey pubKey;

	static {
		try {
			KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
			kpg.initialize(2048);
			KeyPair kp = kpg.generateKeyPair();
			privKey = kp.getPrivate();
			pubKey = kp.getPublic();
			bcProvider = new BouncyCastleProvider();
			Security.addProvider(bcProvider);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}

	public static void main(String[] args) throws Exception {
		

		// Encrypt
		byte[] encData = encryptPKCS7(DATA_TO_ENCRYPT.getBytes());
		System.out.println("Encrypted data = " + Base64.toBase64String(encData));

		// Decrypt
		byte[] result = decryptPKCS7(encData);
		System.out.println("Decrypted data = " + new String(result));

	}

	private static byte[] encryptPKCS7(byte[] plainData) throws Exception {
		// set up the generator
		CMSEnvelopedDataGenerator gen = new CMSEnvelopedDataGenerator();
		gen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(new byte[] { 0x01 }, pubKey)
				.setProvider(bcProvider));
		// create the enveloped-data object
		CMSProcessableByteArray data = new CMSProcessableByteArray(plainData);
		BcCMSContentEncryptorBuilder builder = new BcCMSContentEncryptorBuilder(CMSAlgorithm.AES256_CBC);
		OutputEncryptor oe = builder.build();
		CMSEnvelopedData enveloped = gen.generate(data, oe);

		return enveloped.getEncoded();
	}

	private static byte[] decryptPKCS7(byte[] encryptedData) throws Exception {
		CMSEnvelopedData enveloped = new CMSEnvelopedData(encryptedData);
		Collection<RecipientInformation> recip = enveloped.getRecipientInfos().getRecipients();
		KeyTransRecipientInformation rinfo = (KeyTransRecipientInformation) recip.iterator().next();
		byte[] contents = rinfo.getContent(new JceKeyTransEnvelopedRecipient(privKey).setProvider(bcProvider));
		return (contents);
	}

}

PreviousSecurity NextConnectivity overview

Last updated 4 months ago

Was this helpful?