我已经通过大量的例子说明人们如何使用Bouncy Castle动态生成RSA密钥对,然后在一个代码块内签名并验证所有内容。那些答案很棒,真的帮助我迅速提升!
那就是说,我需要创建一个客户端,可以通过WCF JSON调用公钥,以便以后用于签名验证,我似乎无法使其工作。首先是我用来生成证书的代码:
public System.Security.Cryptography.X509Certificates.X509Certificate2 LoadCertificate()
{
System.Security.Cryptography.X509Certificates.X509Certificate2 returnX509 = null;
//X509Certificate returnCert = null;
try
{
returnX509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(CertificateName, CertificatePassword);
//returnCert = DotNetUtilities.FromX509Certificate(returnX509);
}
catch
{
Console.WriteLine("Failed to obtain cert - trying to make one now.");
try
{
Guid nameGuid = Guid.NewGuid();
AsymmetricCipherKeyPair kp;
var x509 = GenerateCertificate("CN=Server-CertA-" + nameGuid.ToString(), out kp);
SaveCertificateToFile(x509, kp, CertificateName, CertificateAlias, CertificatePassword);
returnX509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(CertificateName, CertificatePassword);
//returnCert = DotNetUtilities.FromX509Certificate(returnX509);
Console.WriteLine("Successfully wrote and retrieved cert!");
}
catch (Exception exc)
{
Console.WriteLine("Failed to create cert - exception was: " + exc.ToString());
}
}
return returnX509;
}
完成后,我会使用以下代码签署一条消息:
public string SignData(string Message, string PrivateKey)
{
try
{
byte[] orgBytes = UnicodeEncoding.ASCII.GetBytes(Message);
byte[] privateKey = UnicodeEncoding.ASCII.GetBytes(PrivateKey);
string curveName = "P-521";
X9ECParameters ecP = NistNamedCurves.GetByName(curveName);
ECDomainParameters ecSpec = new ECDomainParameters(ecP.Curve, ecP.G, ecP.N, ecP.H, ecP.GetSeed());
ISigner signer = SignerUtilities.GetSigner("SHA-256withECDSA");
BigInteger biPrivateKey = new BigInteger(privateKey);
ECPrivateKeyParameters keyParameters = new ECPrivateKeyParameters(biPrivateKey, ecSpec);
signer.Init(true, keyParameters);
signer.BlockUpdate(orgBytes, 0, orgBytes.Length);
byte[] data = signer.GenerateSignature();
//Base64 Encode
byte[] encodedBytes;
using (MemoryStream encStream = new MemoryStream())
{
base64.Encode(orgBytes, 0, orgBytes.Length, encStream);
encodedBytes = encStream.ToArray();
}
if (encodedBytes.Length > 0)
return UnicodeEncoding.ASCII.GetString(encodedBytes);
else
return "";
}
catch (Exception exc)
{
Console.WriteLine("Signing Failed: " + exc.ToString());
return "";
}
}
最后,我试图验证:
public bool VerifySignature(string PublicKey, string Signature, string Message)
{
try
{
AsymmetricKeyParameter pubKey = new AsymmetricKeyParameter(false);
var publicKey = PublicKeyFactory.CreateKey(Convert.FromBase64String(PublicKey));
ISigner signer = SignerUtilities.GetSigner("SHA-256withECDSA");
byte[] orgBytes = UnicodeEncoding.ASCII.GetBytes(Message);
signer.Init(false, publicKey);
signer.BlockUpdate(orgBytes, 0, orgBytes.Length);
//Base64 Decode
byte[] encodeBytes = UnicodeEncoding.ASCII.GetBytes(Signature);
byte[] decodeBytes;
using (MemoryStream decStream = new MemoryStream())
{
base64.Decode(encodeBytes, 0, encodeBytes.Length, decStream);
decodeBytes = decStream.ToArray();
}
return signer.VerifySignature(decodeBytes);
}
catch (Exception exc)
{
Console.WriteLine("Verification failed with the error: " + exc.ToString());
return false;
}
}
这是我的测试应用:
Console.WriteLine("Attempting to load cert...");
System.Security.Cryptography.X509Certificates.X509Certificate2 thisCert = LoadCertificate();
if (thisCert != null)
{
Console.WriteLine(thisCert.IssuerName.Name);
Console.WriteLine("Signing the text - Mary had a nuclear bomb");
string signature = SignData("Mary had a nuclear bomb", thisCert.PublicKey.Key.ToXmlString(true));
Console.WriteLine("Signature: " + signature);
Console.WriteLine("Verifying Signature");
if (VerifySignature(thisCert.PublicKey.Key.ToXmlString(false), signature, "Mary had a nuclear bomb."))
Console.WriteLine("Valid Signature!");
else
Console.WriteLine("Signature NOT valid!");
}
当我尝试运行测试应用程序时,我收到错误"密钥无法在指定状态下使用。"在线:
string signature = SignData("Mary had a nuclear bomb", thisCert.PublicKey.Key.ToXmlString(true));
我尝试更换" PublicKey.Key"与" PrivateKey"但这并没有什么不同。我也试过使用BounceyCastle X509Certificate,但我无法弄清楚如何提取密钥。有什么想法吗?
谢谢!
更新:我确实弄清楚如何使用.NET进行签名和验证,但这对我来说并不实用,因为我需要跨平台,事实上,我们的主客户端应用程序是用Java编写的。有人知道Bouncy Castle相当于下面的代码吗?
public string SignDataAsXml(string Message, X509Certificate2 ThisCert)
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = false;
doc.LoadXml("<core>" + Message + "</core>");
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(doc);
// Add the key to the SignedXml document.
signedXml.SigningKey = ThisCert.PrivateKey;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
// Create a new KeyInfo object.
KeyInfo keyInfo = new KeyInfo();
// Load the certificate into a KeyInfoX509Data object
// and add it to the KeyInfo object.
keyInfo.AddClause(new KeyInfoX509Data(ThisCert));
// Add the KeyInfo object to the SignedXml object.
signedXml.KeyInfo = keyInfo;
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Append the element to the XML document.
doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
if (doc.FirstChild is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
using (var stringWriter = new StringWriter())
{
using (var xmlTextWriter = XmlWriter.Create(stringWriter))
{
doc.WriteTo(xmlTextWriter);
xmlTextWriter.Flush();
return stringWriter.GetStringBuilder().ToString();
}
}
}
public bool VerifyXmlSignature(string XmlMessage, X509Certificate2 ThisCert)
{
// Create a new XML document.
XmlDocument xmlDocument = new XmlDocument();
// Load the passed XML file into the document.
xmlDocument.LoadXml(XmlMessage);
// Create a new SignedXml object and pass it the XML document class.
SignedXml signedXml = new SignedXml(xmlDocument);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
// Load the signature node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(ThisCert, true);
}
答案 0 :(得分:10)
Bouncy Castle根本不支持XML格式。除非您的用例严格要求,否则您会发现使用Base64编码更容易,证书(X.509)和私钥(PKCS#8)以PEM格式存储。这些都是字符串格式,因此应该直接与JSON一起使用。
代码示例中还有其他问题:签名应使用私钥,签名不应被视为ASCII字符串,可能您的消息实际上是UTF8。我希望内部符号/验证例程可能如下所示:
public string SignData(string msg, ECPrivateKeyParameters privKey)
{
try
{
byte[] msgBytes = Encoding.UTF8.GetBytes(msg);
ISigner signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(true, privKey);
signer.BlockUpdate(msgBytes, 0, msgBytes.Length);
byte[] sigBytes = signer.GenerateSignature();
return Convert.ToBase64String(sigBytes);
}
catch (Exception exc)
{
Console.WriteLine("Signing Failed: " + exc.ToString());
return null;
}
}
public bool VerifySignature(ECPublicKeyParameters pubKey, string signature, string msg)
{
try
{
byte[] msgBytes = Encoding.UTF8.GetBytes(msg);
byte[] sigBytes = Convert.FromBase64String(signature);
ISigner signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(false, pubKey);
signer.BlockUpdate(msgBytes, 0, msgBytes.Length);
return signer.VerifySignature(sigBytes);
}
catch (Exception exc)
{
Console.WriteLine("Verification failed with the error: " + exc.ToString());
return false;
}
}
另一个问题是我认为.NET在.NET 3.5之前没有获得ECDSA支持,无论如何在.NET 1.1中没有ECDsa类(这是BC即将推出的1.8版本的目标 - 我们将“现代化” “之后”,所以DotNetUtilities不支持ECDSA。但是,我们可以导出到PKCS#12并导入BC。一个示例程序:
public void Program()
{
Console.WriteLine("Attempting to load cert...");
System.Security.Cryptography.X509Certificates.X509Certificate2 thisCert = LoadCertificate();
Console.WriteLine(thisCert.IssuerName.Name);
Console.WriteLine("Signing the text - Mary had a nuclear bomb");
byte[] pkcs12Bytes = thisCert.Export(X509ContentType.Pkcs12, "dummy");
Pkcs12Store pkcs12 = new Pkcs12StoreBuilder().Build();
pkcs12.Load(new MemoryStream(pkcs12Bytes, false), "dummy".ToCharArray());
ECPrivateKeyParameters privKey = null;
foreach (string alias in pkcs12.Aliases)
{
if (pkcs12.IsKeyEntry(alias))
{
privKey = (ECPrivateKeyParameters)pkcs12.GetKey(alias).Key;
break;
}
}
string signature = SignData("Mary had a nuclear bomb", privKey);
Console.WriteLine("Signature: " + signature);
Console.WriteLine("Verifying Signature");
var bcCert = DotNetUtilities.FromX509Certificate(thisCert);
if (VerifySignature((ECPublicKeyParameters)bcCert.GetPublicKey(), signature, "Mary had a nuclear bomb."))
Console.WriteLine("Valid Signature!");
else
Console.WriteLine("Signature NOT valid!");
}
我还没有真正测试过任何上述代码,但它应该会给你一些东西。请注意,BC也有密钥和证书生成器,因此您可以选择将BC用于所有内容(XML除外!),并仅在必要时导出/导入.NET。
答案 1 :(得分:0)
感谢Petters的回答,我想添加代码以使用RSA算法验证签名。
public bool VerifySignature(AsymmetricKeyParameter pubKey, string signature, string msg)
{
try
{
byte[] msgBytes = Encoding.UTF8.GetBytes(msg);
byte[] sigBytes = Convert.FromBase64String(signature);
ISigner signer = SignerUtilities.GetSigner("SHA-256withRSA");
signer.Init(false, pubKey);
signer.BlockUpdate(msgBytes, 0, msgBytes.Length);
return signer.VerifySignature(sigBytes);
}
catch (Exception exc)
{
Console.WriteLine("Verification failed with the error: " + exc.ToString());
return false;
}
}