Bouncy Castle: Creating CMS (a.k.a. PKCS7) certificate?

Question

How do I create a CMS (a.k.a. PKCS7) certificate?

The following bouncy castle code creates a PKCS12 certificate:

    ASN1EncodableVector  v = new ASN1EncodableVector();

    v.add(tbsCert);
    v.add(sigAlgId);
    v.add(new DERBitString(signature));

    X509CertificateObject clientCert = new X509CertificateObject(Certificate.getInstance(new DERSequence(v))); 

    PKCS12BagAttributeCarrier bagCert = clientCert;
    bagCert.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
            new DERBMPString("Certificate for IPSec WLAN access"));
    bagCert.setBagAttribute(
            PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
            new SubjectKeyIdentifierStructure(pubKey));

I see there is CMSSignedDataGenerator in the API, but I am not if it's applicable to my case and if so how....

I also don't understand why, if the created certificate is a PKCS12 one, then why do they use PKCS9 variables in order to built it.

Answer 1

There is no such thing as a CMS certificate or PKCS#12 certificate.

CMS is the cryptographic message syntax. It specifies a container format that may contain X5.09 compatible certificates of the signer. PKCS#12 is a container format for cryptographic objects, it is often used to store one or more certificate/private key pairs. PKCS#9 explicitly defines attributes for X5.09 certificates.

You probably just need to build an X5.09 certificate, possibly using PKCS#9 defined attributes. Those certificates should be compatible with both CMS and PKCS#12.