下面的Java 8代码导致消息"签名未通过匹配键"我无法理解为什么。任何想法为什么不验证?
我最好的猜测是,它与openssl生成私钥或证书的方式有关,但从我的研究看来,我似乎正在使用正确的命令。我尝试做的是加载私钥,签名邮件,然后根据x509证书中包含的公钥验证签名。
privatekey.pkcs8.key文件是使用基于MS windows的openssl使用以下命令生成的:
openssl.exe" genrsa -out privatekey.pem 1024
openssl pkcs8 -in privatekey.pem -inform PEM -topk8 -out privatekey.pkcs8.key -outform DER -nocrypt
还使用基于MS windows的openssl生成了publickey.cer,使用以下命令:
openssl req -x509 -key privatekey.pem -days 365 -out publickey.cer -new
我试图验证签名时使用的Java代码如下:
public static void main(String[] args) throws Exception{
new TestSigs();
}
public TestSigs {
byte[] signature = generateSignatureForMessage("src/cryptoprivatekey.pkcs8.key", "Hello");
verifySignature("src/crypto/publickey.cer", signature);
}
public byte[] generateSignatureForMessage(String privateKeyPath, String message) throws Exception {
RSAPrivateKey privKey = loadPrivateRSAKeyFromFile(privateKeyPath);
Signature s = Signature.getInstance("SHA256withRSA");
s.initSign(privKey);
s.update(ByteBuffer.wrap(message.getBytes()));
byte[] signature = s.sign();
return signature;
}
private void verifySignature(String publicKeyPath, byte[] signature) throws Exception {
Certificate cert = loadCertificate(publicKeyPath);
Signature s = Signature.getInstance("SHA256withRSA");
s.initVerify(cert);
if(s.verify(signature)) {
System.out.println("signature signed by matching key");
} else {
System.out.println("signature NOT signed by matching key");
}
}
private Certificate loadCertificate(String filename) throws FileNotFoundException, CertificateException {
FileInputStream fis = new FileInputStream(filename);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
return cf.generateCertificate(bis);
}
private RSAPrivateKey loadPrivateRSAKeyFromFile(String keyPath) throws Exception {
byte[] privKeyBytes = loadRSAKeyBytesFromFile(keyPath);
KeyFactory kFact = KeyFactory.getInstance("RSA");
KeySpec ks = new PKCS8EncodedKeySpec(privKeyBytes);
return (RSAPrivateKey)kFact.generatePrivate(ks);
}
答案 0 :(得分:2)
verifySignature方法的签名(没有双关语)说明您的实施无法正常工作。对于要检查的Signature,处理器需要访问签名数据和签名。您的方法没有提供:
private void verifySignature(String publicKeyPath, byte[] signature)
我建议您将其修改为generateSignatureForMessage方法的对称方式,即:
sign或verify)其中一个实现类似于:
private void verifySignature(String publicKeyPath, byte[] signature, byte[] signedContent) throws Exception {
Certificate cert = loadCertificate(publicKeyPath);
Signature s = Signature.getInstance("SHA256withRSA");
s.initVerify(cert);
s.update(signedContent);
if(s.verify(signature)) {
System.out.println("signature signed by matching key");
} else {
System.out.println("signature NOT signed by matching key");
}
}