[英]ECDSA signature with C# and Bouncy Castle does not match MS ECDsa signature
我正在嘗試與來自 Xamarin.Forms 項目的 Apple Music API 進行通信。 Due to the Microsoft ECDsa implementation not being available on Xamarin.Android and Xamarin.iOS I am trying to work around that limitation using the Portable.BouncyCastle Nuget package. 總體而言,該過程似乎按預期工作,但是當嘗試使用簽名的開發人員令牌調用 Apple Music API 時,我總是收到 HTTP/2 401。
我有一個有效的 MS ECDsa 實現,我在 ASP.NET 核心項目中使用它來與 Apple 推送通知服務通信,所以我編寫了一個快速的小演示工具,可以在這兩種方法中生成密鑰,結果:簽名不匹配並且MS ECDsa 變體實際上有效,我從 Apple 獲得了正確的 API 響應。
我在網上看了很多樣本,我看不出我實際上做錯了什么,所以也許這里有人可以指出我正確的方向。
充氣城堡方法:
public static AsymmetricCipherKeyPair GetKeys(string data)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(data);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
var ecPublicKeyParameters = new ECPublicKeyParameters(q, ecPrivateKeyParameters.Parameters);
return new AsymmetricCipherKeyPair(ecPublicKeyParameters, ecPrivateKeyParameters);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateToken(AsymmetricCipherKeyPair keyPair, string p8privateKeyId, string teamId, DateTime date)
{
var tag = $"{_className}.CreateJwtToken";
try
{
var header = JsonHelper.Serialize(new { alg = "ES256", kid = p8privateKeyId });
var payload = JsonHelper.Serialize(new { iss = teamId, iat = ToEpoch(date), exp = ToEpoch(date.AddSeconds(15777000)) });
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var signature = GetSignature(unsignedJwtData, keyPair);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static int ToEpoch(DateTime time)
{
var span = DateTime.UtcNow - new DateTime(1970, 1, 1);
return Convert.ToInt32(span.TotalSeconds);
}
private static byte[] GetSignature(string plainText, AsymmetricCipherKeyPair key)
{
var encoder = new UTF8Encoding();
var inputData = encoder.GetBytes(plainText);
var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(true, key.Private);
signer.BlockUpdate(inputData, 0, inputData.Length);
return signer.GenerateSignature();
}
MS ECDsa 方法:
public static string GetPrivateKey(string p8privateKey)
{
var tag = $"{_className}.GetPrivateKey";
try
{
var dsa = GetECDsa(p8privateKey);
var keyBytes = dsa.ExportPkcs8PrivateKey();
return Convert.ToBase64String(keyBytes);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static ECDsa GetECDsa(string p8privateKey)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(p8privateKey);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
return ECDsa.Create(new ECParameters
{
Curve = ECCurve.CreateFromValue(ecPrivateKeyParameters.PublicKeyParamSet.Id),
D = ecPrivateKeyParameters.D.ToByteArrayUnsigned(),
Q =
{
X = q.XCoord.GetEncoded(),
Y = q.YCoord.GetEncoded()
}
});
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateJwtToken(string p8privateKey, string p8privateKeyId, string teamId, DateTime date)
{
var tag = $"{_className}.CreateJwtToken";
try
{
var header = JsonHelper.Serialize(new { alg = "ES256", kid = p8privateKeyId });
var payload = JsonHelper.Serialize(new { iss = teamId, iat = ToEpoch(date), exp = ToEpoch(date.AddSeconds(15777000)) });
using var dsa = ECDsa.Create("ECDsa");
var keyBytes = Convert.FromBase64String(p8privateKey);
dsa.ImportPkcs8PrivateKey(keyBytes, out _);
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
var signature = dsa.SignData(unsignedJwtBytes, 0, unsignedJwtBytes.Length, HashAlgorithmName.SHA256);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
我期待着您的反饋。
感謝Topaco的評論,我用SHA-256withPLAIN-ECDSA
進行了測試,它解決了這個問題。 簽名不相同,但 Apple Music API 接受簽名的 JWT 令牌並正確響應。 因此,感謝 Topaco 指出這一點。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.