我需要使用Sha1算法在Java中使用Key Vault来实现签名,但不受支持,我该如何实现,我尝试使用弹性城堡进行摘要,并使用具有RSNULL算法的密钥库客户端,但是结果不正确。
String stringToSign = "holamund";
byte[] digestSha1Bytes = DigestUtils.sha1(stringToSign.getBytes());
keyOperationResult = keyVaultClient.sign("AZURE_URL_KEY", JsonWebKeySignatureAlgorithm.RSNULL, digestSha1Bytes);
输出生成:IoGXIIIZ5ZyM2m7ozz / ET8UOWWTwmKeseJVvs9w9cPHz11wKFZ / ikGx2Sj4Adhcn32QCDBOSv / knaTvPyw + EXkVX / 3NrAmxuIUUGhQF4 / muu7Y2644IWuECXqp8o1iXL8mN7sCEB5sh0sNArK77dvfRk7A0unZR / 82wpFxMjxYYeh8k / CiFRHK / MWX6sZe + 1Rm6vDmkaodyRqR1LsusS0wzOiuVdTXNkyL55MaTs5cLpWIpbHU + H4YaAO1 + B + nFVkJeeDDGbjHvmMO1EO / KT7HSHReOukYR2mwKxklzCZA3DWRp3pSi9Rdirpoc / IvFIOcWcYK44xfx0UKVHDzhZ4w ==
输出预期:pHOyaoTuOTELmTbfgRPg12tJP0JdjQY1GsdMR63s8L8hMb4lsirmalxSVRm5D2ed2d6PMdMxvA + OjUW / Pxzx5R8M5b3SeIiXde5JloOKoOc2PbKIGJI5Sf7 + yCSowCSgTdxmwkTQdBCZWeRhw1hs5hNJW / uBkbImdF0RtR478JxePH9AYEHOFjanLlI5 / OHzduPS8Px9qzQIr / KYRWk32Z14dUGPctYeT5ttY7lYu4ksTeyCwea5booNaZAN8EnT41s564cCPR2ZdYirzcNnWlTQxD7innpuFWP + rvLZHLYp3y + iiYIU6eyJurDoTUHHzTp + mEQSD / IMtgE43FWb6w ==
我尝试使用不同的api(例如充气城堡,java native等)进行摘要,但是没有找到正确的约定以与密钥库标志一起使用。
答案 0 :(得分:0)
在Azure Key Vault中,RSNULL算法提供了原始的RSA签名。为了使用原始的SHA1签名算法生成标准的RSA签名,必须首先将摘要包装到将要签名的ASN.1 DigestInfo结构中。以下示例显示:
import java.io.IOException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.Signature;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.models.KeyBundle;
import com.microsoft.azure.keyvault.models.KeyOperationResult;
import com.microsoft.azure.keyvault.webkey.JsonWebKey;
import com.microsoft.azure.keyvault.webkey.JsonWebKeySignatureAlgorithm;
...
/**
* @param keyVaultClient An instance of Key Vault client.
* @param keyIdentifer The Key Identifier. This is the kid field of JsonWebKey structure.
* @param message The message to be signed.
*/
void sampleSHA1SignatureWithAzureKeyVault(KeyVaultClient keyVaultClient, String keyIdentifer, byte[] message) throws Throwable {
/////////////////////////////////////////
// Signs message using Azure Key Vault //
/////////////////////////////////////////
// Compute SHA1 hash:
MessageDigest md = MessageDigest.getInstance("SHA1");
md.update(message);
byte[] digest = md.digest();
// Convert SHA1 digest into ASN.1:
byte[] digestInfo = getDigestInfoForSHA1Digest(digest);
// Call Azure Key Vault to perform the signature using the server key.
// Note that we are passing the DigestInfo to RSNULL, instead of SHA1 digest.
KeyOperationResult result = keyVaultClient.sign(keyIdentifer, JsonWebKeySignatureAlgorithm.RSNULL, digestInfo);
byte[] signature = result.result();
/////////////////////////////////////////////////////////
// Verifies the signature locally, using java.security //
/////////////////////////////////////////////////////////
// Read the public key from Azure Key Vault
KeyBundle keyBundle = keyVaultClient.getKey(keyIdentifer);
// Initialize java.security instances with the Public Key and message.
KeyPair kp = keyBundle.key().toRSA(false);
Signature signImpl = Signature.getInstance("SHA1withRSA");
signImpl.initVerify(kp.getPublic());
signImpl.update(message);
// Verify the signature.
if (signImpl.verify(signature))
System.out.println("Signature was verified.");
else
System.out.println("Signature verification failed.");
}
byte[] getDigestInfoForSHA1Digest(byte[] digest) {
// Constructs an ASN.1 DigestInfo structure for the caller-specified SHA1 hash.
// ASN.1 data:
byte[] digestInfo = new byte[] { //
0x30, 0x21, // SEQUENCE DigestInfo (33 bytes) (13 of header + 20 of SHA1 digest)
0x30, 0x09, // SEQUENCE AlgorithmIdentifier (9 bytes)
0x06, 0x05, // OBJECT IDENTIFIER algorithm (5 bytes)
0x2b, 0x0e, 0x03, 0x02, 0x1a, // OID of SHA1 (1.3.14.3.2.26)
0x05, 0x00, // NUL algorithm parameters (05 00 is the DER encoding for NUL)
0x04, 0x14, // OCTET STRING digest (20 bytes)
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 // SHA1, copied below
};
System.arraycopy(digest, 0, digestInfo, 15, digest.length);
return digestInfo;
}