堆栈内存溢出
  繁体   English   中英

Jsrsasign。 如何验证服务器上的签名?

[英]Jsrsasign. How to verify the signature on the server?

 原文  2014-05-21 13:20:44       javascript/ ssl/ openssl/ sign

问题描述

早上好。

我需要在移动设备上生成证书,以便以后发送到服务器。

目的是对设备的某些独特功能进行签名并在服务器上进行检查。

我使用以下方法 

// Create cert

var publickey="";
publickey=publickey+"-----BEGIN PUBLIC KEY-----\n";
publickey=publickey+"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2Alder/8ByIu+565IRZS+xB6t";
publickey=publickey+"hJkmlwNy7wMRTX7YysHC9S75wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p7";
publickey=publickey+"5vP8k3Cap39mTXVNLRyaiFZt4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5";
publickey=publickey+"VKdp8Rwfik4GrHOGWQIDAQAB\n";
publickey=publickey+"-----END PUBLIC KEY-----";

var privatekey="";      
privatekey=privatekey+"-----BEGIN RSA PRIVATE KEY-----\n";
privatekey=privatekey+"MIICXAIBAAKBgQD2Alder/8ByIu+565IRZS+xB6thJkmlwNy7wMRTX7YysHC9S75";
privatekey=privatekey+"wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p75vP8k3Cap39mTXVNLRyaiFZt";
privatekey=privatekey+"4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5VKdp8Rwfik4GrHOGWQIDAQAB";
privatekey=privatekey+"AoGAbhYIIPAi7hpfJrOoUuEIOgGrNLzEh/dF7NW2CrUiEUNSR7rOJaddXy/6hSIs";
privatekey=privatekey+"JXfB/gMOvDy/BQzI94uKDiz9uahMcuADhpUJBpDQMP5B1xMwVAxm8MLHEi86Bn3T";
privatekey=privatekey+"W/yaTsa7SYlnMu0TJl1xQFeB9cQS4qZIUgGR44774yIM/V0CQQD92Xz9ojSgcT4m";
privatekey=privatekey+"Hz1ua4jNTBtUPT+Buxr3IZraaXVYKIUiW1dFXiD6BZ0PVFdA8yBTvltoidjv/5zv";
privatekey=privatekey+"7Pm6alHDAkEA+BfZkqBvLXFQtHgxVaj+JMIXei9TWkhtQt9no1IWAZd/vvBDJelE";
privatekey=privatekey+"utOsG824g/I2+mLnYHDFLfH7CBeMz4mJswJAXbRq7zVxN8iVqHzfsGMBnMb7T51M";
privatekey=privatekey+"VBc9XPyKrRVAu8o5WvVcwb59bc2krIP1sYQN6tvZ4j0AV5eD1w0jIi0dAQJBAKQ7";
privatekey=privatekey+"ZZRjEDYM5VgSmNYT4OmEcvY3jf4eI/Y43eqH1HmJSM+lTU4zdYQXy788GAGAvlRS";
privatekey=privatekey+"VMjK3jzkC0H4FQbuDXECQDaFTYpdYkUDeGPX4YTEPBbwMyJygjRDD3X067bgAJ/+";
privatekey=privatekey+"z9pgsAsHhle6aQv09c0t2j+6LPVeFpSvd2u8g9+9U0o=\n";
privatekey=privatekey+"-----END RSA PRIVATE KEY-----";

var rsa = new RSAKey();
rsa.readPrivateKeyFromPEMString(privatekey);

var tbsc = new KJUR.asn1.x509.TBSCertificate();
tbsc.setSerialNumberByParam({'int': 9999});
tbsc.setSignatureAlgByParam({'name': 'SHA256withRSA'});
tbsc.setIssuerByParam({'str': '/C=ES/O=MOBILE-CA'});  
tbsc.setNotBeforeByParam({'str': '130501235959Z'});
tbsc.setNotAfterByParam({'str': '230501235959Z'});
tbsc.setSubjectByParam({'str': '/C=ES/CN=SOME'});  
tbsc.setSubjectPublicKeyByParam({'rsapem': publickey});
var cert = new KJUR.asn1.x509.Certificate({'tbscertobj': tbsc,
                                            'prvkeyobj': rsa
});
cert.sign(); 

var x509toServer=cert.getPEMString(); // Send to server

// Generate sign
var xig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
xig.init(rsa);
xig.updateString("zzzzttttzzzz");
var xSigVal = xig.sign();                       
console.log('Sign: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');
console.log(xSigVal);
console.log('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');

// Verify sign
var sig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
sig.initVerifyByCertificatePEM(cert.getPEMString()); // signer's certificate
sig.updateString(me.getApplication().device_uid);
var isValid = sig.verify(xSigVal)  
if (isValid) {
    console.log("valid");
} else {
    console.log("invalid");
}

上面的代码可以完美地工作,并向我表明签名是有效的。

证书服务器接收消息(zzzzttttzzzzzz)和签名(变量xSigVal)。

然后生成下一个文件

device.cer与 

-----BEGIN CERTIFICATE-----
MIIBwjCCASugAwIBAgICJw8wDQYJKoZIhvcNAQELBQAwITELMAkGA1UEBhMCRVMx
EjAQBgNVBAoMCU1PQklMRS1DQTAeFw0xMzA1MDEyMzU5NTlaFw0yMzA1MDEyMzU5
NTlaMCwxCzAJBgNVBAYTAkVTMR0wGwYDVQQDDBR1MDIwODg1LXp6enp0dHR0enp6
ejCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9gJXXq//AciLvueuSEWUvsQe
rYSZJpcDcu8DEU1+2MrBwvUu+cEfxS1hXbIzD/t0xJb8bHJPgN3prHdk2HCa9LOK
e+bz/JNwmqd/Zk11TS0cmohWbeFYiU2IbDVrQH0vLfE+ehVj8ctaa4pUdAEB6fkI
+VSnafEcH4pOBqxzhlkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj7lCmpZt4Icej
KyH1fLseEAHACoR/FB8vknaLL3Bk8X4ADOEWGQD3ZL5TdQYRKxpqYz49j2Iu90qc
YfBeLD/WJ8bwBwnWal1n02pFZJWKldlYjhcQ7Z910AsP2oG3A4tsOUMaUSs+Al2+
U+YKn08m09RRubGVDuxboVtdBicK/A==
-----END CERTIFICATE-----

message.txt与 

zzzzttttzzzz

cbfbaa6f099fafdb9d892a9d2ea7378a66685e429f77e24241e2e5531db9c020829de125467a891504aaa42b174b0d47d6c83e8234fe32918900ba219cd75b024fa21c241a8c8463ffe629a8e3cf094014cb19a70734db8a0f7b856fb60f4cf9425af8982a9404bfaa8a9e09d742160bca588c4464c17467ef2de69d1b0c46d0

服务器上的证书返回的信息是 

openssl x509 -in c/device.cer -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9999 (0x270f)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=ES, O=MOBILE-CA
        Validity
            Not Before: May  1 23:59:59 2013 GMT
            Not After : May  1 23:59:59 2023 GMT
        Subject: C=ES, CN=u020885-zzzzttttzzzz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f6:02:57:5e:af:ff:01:c8:8b:be:e7:ae:48:45:
                    94:be:c4:1e:ad:84:99:26:97:03:72:ef:03:11:4d:
                    7e:d8:ca:c1:c2:f5:2e:f9:c1:1f:c5:2d:61:5d:b2:
                    33:0f:fb:74:c4:96:fc:6c:72:4f:80:dd:e9:ac:77:
                    64:d8:70:9a:f4:b3:8a:7b:e6:f3:fc:93:70:9a:a7:
                    7f:66:4d:75:4d:2d:1c:9a:88:56:6d:e1:58:89:4d:
                    88:6c:35:6b:40:7d:2f:2d:f1:3e:7a:15:63:f1:cb:
                    5a:6b:8a:54:74:01:01:e9:f9:08:f9:54:a7:69:f1:
                    1c:1f:8a:4e:06:ac:73:86:59
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        a3:ee:50:a6:a5:9b:78:21:c7:a3:2b:21:f5:7c:bb:1e:10:01:
        c0:0a:84:7f:14:1f:2f:92:76:8b:2f:70:64:f1:7e:00:0c:e1:
        16:19:00:f7:64:be:53:75:06:11:2b:1a:6a:63:3e:3d:8f:62:
        2e:f7:4a:9c:61:f0:5e:2c:3f:d6:27:c6:f0:07:09:d6:6a:5d:
        67:d3:6a:45:64:95:8a:95:d9:58:8e:17:10:ed:9f:75:d0:0b:
        0f:da:81:b7:03:8b:6c:39:43:1a:51:2b:3e:02:5d:be:53:e6:
        0a:9f:4f:26:d3:d4:51:b9:b1:95:0e:ec:5b:a1:5b:5d:06:27:
        0a:fc

我用以下方法提取公钥 

openssl x509 -in c/device.cer -noout -pubkey > c/device.pub.key.cer

并完全匹配具有javascript(var publickey)

现在出现了问题。 如何在服务器上使用OpenSSL进行相同的签名验证?

具有签名的文件包含一个十六进制数字,并尝试

1-。 openssl dgst -verify c / device.pub.key.cer -signature firma.sign message.txt

2-。 openssl dgst -sha256 -verify c / device.pub.key.cer -signature firma.sign message.txt

3-。 猫firma.sign | xxd -r -p> firma.s2 openssl dgst -verify c / device.pub.key.cer -signature firma.s2 message.txt

和其他选项,但答案始终是:

验证失败

有人可以帮忙吗?

在此先感谢和问候。

1 个解决方案

解决方案1
 0  2016-03-18 20:56:48

一些东西...

  1. OpenSSL希望它以二进制格式而不是base64签名。 使用| base64 -d | base64 -d进行解码。
  2. 根据我的测试,您的签名似乎不正确。

根据您的示例创建和验证base64签名的步骤:

  1. 创建我们的数据输入文件: 

     echo "zzzzttttzzzz" > zzzzttttzzzz.txt

  2. 当我使用openssl签名相同的消息时: 

     openssl dgst -sha256 -sign private.pem -out zzzzttttzzzz.signature zzzzttttzzzz.txt

  3. 但是此签名是gobbledygook,因此我们应该对其进行base64 ,以提供针对jsrsasign的基线 

     nÝ^@^Oú^P<...>

  4. 然后base64签名: 

     $ base64 zzzzttttzzzz.signature "bt0AD/oQxZ8EA0+J8HSFaQ4fYPEIj2+Nf1hUd87jHDb8vg/MUxKA/EccxQRCYXiVUg5GxBjj5J/W ZgHNmXZafl6azhC9kTUTS6zvd+TeOPwKFcOm5+g9Pf5ldOcoIpsqN3Fd1fwxrNPZqiawmWaJZHsX mwd00RC9xupK8BTiNrc="

  5. 为了确保我们可以解码和匹配二进制签名: 

     echo "bt0AD/oQxZ8EA0+J8HSFaQ4fYPEIj2+Nf1hUd87jHDb8vg/MUxKA/EccxQRCYXiVUg5GxBjj5J/WZgHNmXZafl6azhC9kTUTS6zvd+TeOPwKFcOm5+g9Pf5ldOcoIpsqN3Fd1fwxrNPZqiawmWaJZHsXmwd00RC9xupK8BTiNrc=" | base64 -d | diff zzzzttttzzzz.signature -

  6. 最后,验证: 

     openssl dgst -sha256 -verify public.key -signature zzzzttttzzzz.signature zzzzttttzzzz.txt "Verified OK"

摘要

  • 修复JavaScript签名生成,然后将其从base64转换为二进制,并且openssl应该验证就可以了。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用jsrsasign获取证书以验证我的RSA数字签名? 如何在jsrsasign.js中使用汉字数字签名? 使用Node.js'jsrsasign'库来验证.NET Bouncy Castle库生成的签名 jsrsasign:无法使用PEM RSA公钥验证JWT 如何将Web加密密钥导出到jsrsasign 使用BouncyCastle(C#)签名数据并使用jsrsasign(js)进行验证 如何使用公钥验证数字签名? 如何在 phantom solana 中验证消息的签名? 如何验证 Stripe 的 webhook 签名? 如何验证 Phantom 钱包的签名?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM