OpenSSL签名未在Java中验证
OpenSSL签名未在Java中验证
提问于 2015-11-30 12:09:27
我有一个用目标C (iOS)编写的移动应用程序,我需要为服务器生成签名,以使用前面提供的公钥进行验证。
我很难获得签名来验证OpenSSL在我的移动应用程序上创建的签名。我让Java通信工作并创建有效的签名,我只是不能让OpenSSL创建有效的签名。有可能我的Java算法是不正确的,但在这个阶段,我对此相当陌生。
下面是生成签名的OpenSSL代码:
RCT_EXPORT_METHOD(signDataWithKey:(NSString *)dataToSign
privateKey:(NSString *)privateKey
callback:(RCTResponseSenderBlock)callback)
{
int retEr;
char* text = (char*) [dataToSign UTF8String];
unsigned char *data;
unsigned long dataLen;
// converting nsstring base64 private key to openssl RSA key
BIO *mem = NULL;
RSA *rsa_private = NULL;
char *private_key = (char*)[privateKey UTF8String];
NSLog(@"Processing private key %s", private_key);
mem = BIO_new_mem_buf(private_key, strlen(private_key));
if (mem == NULL)
{
char buffer[120];
ERR_error_string(ERR_get_error(), buffer);
NSLog(@"Error loading private key %s", buffer);
}
rsa_private = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free (mem);
if (rsa_private == NULL)
{
char buffer[120];
ERR_error_string(ERR_get_error(), buffer);
NSLog(@"OpenSSL error: %s", buffer);
} else {
NSLog(@"Successfully loaded private key");
}
// end of convertion
data = (unsigned char *) text;
dataLen = strlen(text);
//// creating signature
// sha256
unsigned char hash[SHA256_DIGEST_LENGTH];
unsigned char sign[256];
unsigned int signLen;
SHA256(data, dataLen, hash);
unsigned char *shaString = sha256_hash_string(hash);
NSData* plainData = [NSData dataWithBytes:(const void *)shaString length:strlen(shaString)];
NSString *base64String = [plainData base64EncodedStringWithOptions:0];
NSLog(@"Base64 checksum %@", base64String);
NSLog(@"SHA256 of %s is %send", text, shaString);
// signing
retEr = RSA_sign(NID_sha256WithRSAEncryption, shaString, strlen(shaString), sign, &signLen, rsa_private);
NSData* signatureData = [NSData dataWithBytes:(const void *)sign length:signLen];
NSString *base64Signature = [signatureData base64EncodedStringWithOptions:0];
NSLog(@"Got signed data %@", base64Signature);
// printf("Signature len gth = %d\n", signLen);
NSLog(@"RSA_sign: %@ signature length = %u", (retEr == 1) ? @"RSA_sign success": @"RSA_sign error", signLen);
NSLog(@"Got signed data %@", base64Signature);
RSA_free(rsa_private);
callback(@[base64Signature]);
}
unsigned char *sha256_hash_string (unsigned char hash[SHA256_DIGEST_LENGTH])
{
unsigned char *outputBuffer = calloc(65, sizeof(char));
int i = 0;
for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
{
sprintf(outputBuffer + (i * 2), "%02x", hash[i]);
}
outputBuffer[64] = 0;
return outputBuffer;
}您将看到,我实际上使用的是SHA256哈希的字符串表示--而不是二进制--这是有意的。然后我拿着那根绳子,然后签了字。
下面是验证签名的Java代码:
public static boolean verifySignature(PublicKey publicKey, byte[] signedData, String signature) {
java.security.Security.addProvider(
new org.bouncycastle.jce.provider.BouncyCastleProvider()
);
Signature signatureCheck = Signature.getInstance("SHA256withRSA", "BC");
signatureCheck.initVerify(publicKey);
signatureCheck.update(signedData);
return signatureCheck.verify(CryptoUtil.Base64Decode(signature))
}一切似乎都是正确的(我已经手动验证了私钥/公钥对),如果我使用Java对相同的数据进行签名,它将验证(如下所示):
public static String getSignatureForString(PrivateKey privateKey, String data) {
Signature signature = Signature.getInstance("SHA256withRSA", "BC");
signature.initSign(privateKey);
signature.update(data.getBytes());
byte[] signed = signature.sign();
return CryptoUtil.Base64Encode(signed);
}我在这里真的处于死胡同,我尝试过各种改变RSA_sign方法的方法来使用NID_sha256本身和其他排列,但在这个阶段我只是猜测。如果有人曾经成功地做过这类事情,我会很感激你的帮助。
Stack Overflow用户
回答已采纳
发布于 2015-11-30 18:06:13
好的,我不知道为什么这与RSA_sign方法有什么不同,但是在测试了openssl_verify()和openssl_sign()之后,这些函数为用Java创建的签名生成了正确的结果,我决定通过PHP源代码来了解它们是如何实现的。无论如何,PHP使用带有EVP_前缀的函数(根据OpenSSL文档,高级加密函数)。无论如何,我调整了目标C代码来代替这些函数,现在我的签名在所有语言中都是匹配的。我希望这能帮上忙。
RCT_EXPORT_METHOD(signDataWithKey:(NSString *)dataToSign
privateKey:(NSString *)privateKey
callback:(RCTResponseSenderBlock)callback)
{
int retEr;
char* text = (char*) [dataToSign UTF8String];
unsigned char *data;
unsigned long dataLen;
// converting nsstring base64 private key to openssl RSA key
BIO *mem = NULL;
EVP_PKEY *pkey;
char *private_key = (char*)[privateKey UTF8String];
EVP_MD_CTX md_ctx;
NSLog(@"Processing private key %s", private_key);
mem = BIO_new_mem_buf(private_key, strlen(private_key));
if (mem == NULL)
{
char buffer[120];
ERR_error_string(ERR_get_error(), buffer);
NSLog(@"Error loading private key %s", buffer);
}
// CHANGED
pkey = PEM_read_bio_PrivateKey(mem, NULL, NULL, NULL);
BIO_free (mem);
if (pkey == NULL)
{
char buffer[120];
ERR_error_string(ERR_get_error(), buffer);
NSLog(@"OpenSSL error: %s", buffer);
} else {
NSLog(@"Successfully loaded private key");
}
// end of convertion
data = (unsigned char *) text;
dataLen = strlen(text);
//// creating signature
// sha256
unsigned char hash[SHA256_DIGEST_LENGTH];
unsigned char sign[4096];
int signLen;
SHA256(data, dataLen, hash);
unsigned char *shaString = sha256_hash_string(hash);
NSData* plainData = [NSData dataWithBytes:(const void *)shaString length:strlen(shaString)];
NSString *base64String = [plainData base64EncodedStringWithOptions:0];
NSLog(@"Base64 checksum %@", base64String);
NSLog(@"SHA256 of %s is %s end", text, shaString);
// CHANGED - Using EVP to sign now.
EVP_SignInit(&md_ctx, EVP_sha256());
EVP_SignUpdate(&md_ctx, shaString, strlen(shaString));
retEr = EVP_SignFinal(&md_ctx, sign, &signLen, pkey);
// OLD METHOD
//retEr = RSA_sign(NID_sha256WithRSAEncryption, shaString, strlen(shaString), sign, &signLen, rsa_private);
NSData* signatureData = [NSData dataWithBytes:(const void *)sign length:signLen];
NSString *base64Signature = [signatureData base64EncodedStringWithOptions:0];
NSLog(@"Got signed data %@", base64Signature);
// printf("Signature len gth = %d\n", signLen);
NSLog(@"RSA_sign: %@ signature length = %u", (retEr == 1) ? @"RSA_sign success": @"RSA_sign error", signLen);
NSLog(@"Got signed data %@", base64Signature);
EVP_PKEY_free(pkey);
callback(@[base64Signature]);
}
unsigned char *sha256_hash_string (unsigned char hash[SHA256_DIGEST_LENGTH])
{
unsigned char *outputBuffer = calloc(65, sizeof(char));
int i = 0;
for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
{
sprintf(outputBuffer + (i * 2), "%02x", hash[i]);
}
outputBuffer[64] = 0;
return outputBuffer;
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/33998359
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号