How does the Bouncy Castle API know which key to encrypt with?
I'm interested in the Bouncy Castle API process for handling multiple public keys for data encryption. For example, if I have 3 different clients who would like me to encrypt data and send it using their public key for encryption, if I label each public key of each client accordingly - how the invigorating lock determines that client 1 should be encrypted using public key 1 and not public key 3 (which would be the public key for client 3)?
it would seem from a decrpytion standpoint that publicKeyEncryptedData has an IDID key attached to it that can be used to find the matching private key, but I don't understand how it picks the correct key to encrypt.
source to share
This is not true. You must include all recipients (for example, certificates for encryption). When you encrypt using PKCS # 7, the process is as follows:
- Generate a random symmetric key (i.e. AES256)
- encrypt data with a symmetric key
- encrypt the symmetric key with the recipient's public key (if recipients X should be able to decrypt, then encrypt the symmetric key X times)
- combine everything in PKCS # 7 (the encrypted symmetric key is placed in a structure with some identification of the recipient. This is usually the serial number and the issuer number of the certificate that was used to encrypt the symmetric key)
Decryption process:
- find a recipient who can decrypt the message. PKCS # 7 contains the sequence numbers and DNs of all recipients that must be able to decrypt. Now take a look at the crypto store for the certificate with the serial number and issuer DN that has the corresponding private key. It doesn't matter which secret key is used as long as you have all the recipients of the private keys in the crypto vault.
- use the private key to decrypt the symmetric key used in the encryption process.
- use a symmetric key to decrypt data
source to share