[英]C# Hash and Verify JWT using Google KMS
我们需要使用自定义的 AsymmetricSecurityKey 散列和验证 JWT 令牌,该密钥使用 Google Cloud KMS API 来签署/验证令牌。
哈希逻辑工作正常,这里是实现:
public override byte[] Sign(byte[] input)
{
string projectId = "<PROJECT-ID>";
string location = "global";
var locationName = new LocationName(projectId, location);
// Instantiate a Cloud KMS client.
var client = KeyManagementServiceClient.Create();
var cryptoKeyVersion = new CryptoKeyVersionName(projectId, location, "test", "asymmetric-signing-key", "1");
var publicKey = client.GetPublicKey(cryptoKeyVersion);
byte[] hashedInput;
using (var hasher = SHA256.Create())
{
hashedInput = hasher.ComputeHash(input);
}
var digest = new Digest
{
Sha256 = ByteString.CopyFrom(hashedInput)
};
var asymmetricSignResponse = client.AsymmetricSign(cryptoKeyVersion, digest);
var output = asymmetricSignResponse.Signature.ToByteArray();
return output;
}
我需要知道如何验证签名,我尝试了很多不同的方法和库,但总是失败
此处用于创建和验证数字签名的 Google KMS 文档没有针对 .NET C# 的实现
感谢你的帮助!
我找到了一个可能对您有用的存储库,其中包含用于 NetCore 和 AspNet 的 KMS 示例。
此示例需要 .NET Core 2.0 或更高版本。 这意味着使用 Visual Studio 2017 或命令行。
https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/kms/api
也许此链接对您的研究有用:
https://medium.com/google-cloud/keeping-secrets-in-asp-nets-appsettings-json-5694e533dc87
我们正在努力将这些样本集中在一起并发布在我们的文档中( 请参阅此处)。 下面是一个例子:
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(
projectId, locationId, keyRingId, cryptoKeyId, cryptoKeyVersionId);
byte[] content = File.ReadAllBytes(contentFile);
byte[] signature = File.ReadAllBytes(signatureFile);
string pubKeyPem = client.GetPublicKey(keyVersionName).Pem;
PemReader reader = new PemReader(new StringReader(pubKeyPem));
byte[] publicKeyInfoBytes = reader.ReadPemObject().Content;
AsymmetricKeyParameter key = PublicKeyFactory.CreateKey(publicKeyInfoBytes);
// The algorithm string to use will vary depending on the algorithm associated
// with the CryptoKeyVersion. `SignerUtilities.cs` in BouncyCastle source
// contains a mapping of algorithm strings.
// "SHA512withRSA/PSS" and "SHA256withRSA" (for PKCS1) are also useful example
// values.
const string algorithm = "SHA256withECDSA";
ISigner signer = SignerUtilities.GetSigner(algorithm);
signer.Init(false, key);
signer.BlockUpdate(content, 0, content.Length);
bool verified = signer.VerifySignature(signature);
Console.Write($"Signature verified: {verified}");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.