解密证书验证签名哈希

时间:2017-01-29 05:36:31

标签: powershell encryption hash

对象:https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/developing-an-alexa-skill-as-a-web-service?ref_=pe_679090_102923190#checking-the-signature-of-the-request

  • 使用从签名证书中提取的公钥解密加密的签名,以生成声明的哈希值。
  • 从完整的HTTPS请求主体生成SHA-1哈希值以生成派生哈希值(不确定这是否意味着整个POST或只是"请求" JSON)

示例签名:

FosqGd+Djx2PAXuER7msZwOsGok+BWZUXMj6LjEIDkhGp0yvmB/oB76C9Mu5fhL6ZH0AgZ862sZYArp2VZnANGy2fAzTyUa1dWL+uZuO4l9jAxq/7Y30W9+V1rStWF8LcYK48iaHdfsqPFm9otOWSLoIYhg9bo62rrCDBo9TeQOt8S63lrBTWc6csEQ0PRVsplkfnAb3edv46g0c7Mg4B3h+uQfq3+RveoKVrUDAEfg1SN7HLWtjxPcLJ1pxOYa29zu56aqiF/96G79gNyQMrUZ7wdnElWWA+lYgHNWAxCibKdzs7QiU1hgbLR+g45+33nHn+M2qgKjjGFcDtaMmPA==

签名证书链URL:https://s3.amazonaws.com/echo.api/echo-api-cert-4.pem

示例帖子JSON:

{"session":{"sessionId":"SessionId.d6d80552-79bf-445a-9e88-5f845a368718","application":{"applicationId":"amzn1.ask.skill.29dff22d-929c-4c74-bbe2-e2a9c83316c5"},"attributes":{},"user":{"userId":"amzn1.ask.account."},"new":true},"request":{"type":"IntentRequest","requestId":"EdwRequestId.c4a78877-5328-4009-9c1c-f6b8783186a2","locale":"en-US","timestamp":"2017-01-29T03:35:40Z","intent":{"name":"GetMovie","slots":{"Keyword":{"name":"Keyword"},"Genre":{"name":"Genre"}}}},"version":"1.0"}

我完全失去了如何使用从签名证书中提取的公钥来解密加密签名以生成断言的哈希值。 .GetPublicKey()返回相当长的System.Byte,但现在是什么?

当前代码:

$cert = Get-PfxCertificate -FilePath $dlPath
# 5.- Base64-decode the Signature header value on the request to obtain the encrypted signature
$encryptedSignatureBytes = [System.Convert]::FromBase64String($Json.signature)

# 6.- Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value       
$publicKey = $cert.GetPublicKey() #returns long System.Byte
$assertedHash = $cert.PublicKey.Key.Decrypt($encryptedSignatureBytes, $false) #Exception calling "Decrypt" with "2" argument(s): "Key does not exist.
$assertedHash = $cert.PublicKey.Key.DecryptValue($encryptedSignatureBytes) #Exception calling "DecryptValue" with "1" argument(s): "Method is not supported."

# 7.- Generate a SHA-1 hash value from the full HTTPS request body to produce the derived hash value    
$requestBodySHA1 = $(Get-StringHash $Json.requestBody)

# 8.- Compare the asserted hash value and derived hash values to ensure that they match    
if ($assertedHash -eq $requestBodySHA1)
{
    #todo
}

1 个答案:

答案 0 :(得分:0)

一旦我理解了实际​​要求,这比预期的要容易。为了比较签名和Amazon post请求,我所要做的就是以Byte []的形式获取请求,Signature已经是Base64转换的Byte [],然后将其输入到函数$ cert.PublicKey.Key.VerifyData 如果我更改签名或请求中的任何字节,则失败。

# 7.- Generate a SHA-1 hash value from the full HTTPS request body to produce the derived hash value
$requestBodyBytes = [System.IO.File]::ReadAllBytes($req)
# 8.- Compare the asserted hash value and derived hash values to ensure that they match
$sha1Oid = [System.Security.Cryptography.CryptoConfig]::MapNameToOID('SHA1')
if(!($cert.PublicKey.Key.VerifyData($requestBodyBytes, $sha1Oid, $encryptedSignatureBytes)))
{
    $validErr += "`nFailed request hash comparison to signature."
}