Class ExampleScenario26
java.lang.Object
co.ankatech.ankasecure.sdk.examples.ExampleScenario26
Scenario 26: PKCS#7 to JOSE Migration
Demonstrates complete legacy cryptographic system migration: programmatically generate PKCS#7 SignedAndEnvelopedData (using Bouncy Castle), decrypt and verify it, then migrate the content to modern JOSE format (JWE) with post-quantum cryptography.
Real-World Context:
Many enterprise systems (healthcare, finance, government) use PKCS#7/CMS for secure messaging. Migrating to JOSE provides:
- JSON compatibility: JOSE uses JSON, easier to parse than ASN.1/DER
- Web standards: Native support in JWT libraries
- Post-quantum ready: JOSE supports ML-KEM, ML-DSA (PKCS#7 does not)
- Simpler tooling: Better developer experience than legacy PKCS#7
Steps:
- Generate legacy RSA-2048 key pair (Bouncy Castle)
- Create self-signed X.509 certificate
- Create PKCS#7 SignedData (sign plaintext with RSA)
- Create PKCS#7 EnvelopedData (encrypt SignedData with RSA)
- Write binary PKCS#7 file (SignedAndEnvelopedData)
- Import RSA key to AnkaSecure via PKCS#12
- Decrypt PKCS#7 EnvelopedData (extract SignedData)
- Verify PKCS#7 SignedData (extract plaintext)
- Generate ML-KEM-768 key for modern encryption
- Encrypt plaintext with JOSE (JWE format)
- Decrypt JOSE and validate migration success
Key Technologies:
- PKCS#7 (Legacy): CMS SignedData + EnvelopedData with RSA-2048
- JOSE (Modern): JWE with ML-KEM-768 post-quantum encryption
- Migration tool: Bouncy Castle for PKCS#7 parsing and generation
API Endpoints:
- POST /api/migration/pkcs12 (import legacy RSA key)
- POST /api/key-management/keys (generate ML-KEM key)
- POST /api/crypto/stream/encrypt (JOSE encryption)
- POST /api/crypto/stream/decrypt (JOSE decryption)
- Since:
- 3.0.0
-
Method Summary
-
Method Details
-
main
-