我试图验证文件的签名。 我跟着这些指令生成证书:
// generate a private key with size of 2048 bits
openssl genrsa -out private_key.pem 2048
// derive a public key from the above private key
openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
// iOS will not import PEM encoded data so it needs to be converted to DER encoded data
openssl rsa -pubin -inform PEM -outform DER -in public_key.pem -out public_key.der
// generate a self-signed certificate for testing
openssl req -new -x509 -key private_key.pem -out test_cert.pem -days 1095
// show the content of the original certificate
openssl x509 -in test_cert.pem -text -noout
// convert the certificate to DER format
openssl x509 -in test_cert.pem -outform der -out test_cert.der
// show the content of the new certificate
openssl x509 -in test_cert.der -inform der -text -noout
我使用的例子此链接哈希一些数据并确认一切都没有很好的(我做的步骤2 - 5)。
现在,我试图把.der文件,签名文件和数据文件到一个Android应用程序,基本上验证这一切都和好如初。 我没有得到任何错误,但我没有收到假的..下面是我写的代码:
import android.app.Activity;
import android.os.Bundle;
import android.os.Environment;
import android.util.Base64;
import android.util.Log;
import android.widget.TextView;
import java.io.*;
import java.security.*;
import java.security.cert.CertificateFactory;
import java.security.cert.Certificate;
// Most of the below is taken from:
// http://www.herongyang.com/JDK/Digital-Signature-JcaVerify-Signature-Verification-Program.html
public class MyActivity extends Activity {
String input = Environment.getExternalStorageDirectory() + "/data.txt";
String signFile = Environment.getExternalStorageDirectory() + "/signature";
String signAlgo = "SHA1withRSA";
int keyFile = R.raw.test_cert_josh;
String TAG = "VERIFY";
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
TextView textView = (TextView) findViewById(R.id.textView);
try {
PublicKey pubKey = readPublicKey(keyFile);
byte[] sign = readSignature(signFile);
textView.setText(verify(input, signAlgo, sign, pubKey) + "");
} catch (Exception e) {
e.printStackTrace();
}
}
PublicKey readPublicKey(int cert_id) throws Exception {
InputStream in = MyActivity.this.getResources().openRawResource(cert_id);
byte[] buff = new byte[4000];
int bytesRead;
ByteArrayOutputStream out = new ByteArrayOutputStream();
while((bytesRead = in.read(buff)) != -1) {
out.write(buff, 0, bytesRead);
Log.i(TAG, "bytes read: " + bytesRead);
}
byte[] publicKeyBytes = out.toByteArray();
CertificateFactory cf = CertificateFactory.getInstance("X509");
Certificate cert = cf.generateCertificate(new ByteArrayInputStream(publicKeyBytes));
PublicKey pubKey = cert.getPublicKey();
Log.i(TAG, "Public Key Info: ");
Log.i(TAG, "Algorithm = " + pubKey.getAlgorithm());
Log.i(TAG, "toString = " + pubKey.toString());
return pubKey;
}
byte[] readSignature(String input) throws Exception {
FileInputStream signStream = new FileInputStream(input);
byte[] signBytes = new byte[signStream.available()];
signStream.read(signBytes);
signStream.close();
return signBytes;
}
boolean verify(String input, String algorithm, byte[] sign, PublicKey pubKey) throws Exception {
Signature sg = Signature.getInstance(algorithm);
sg.initVerify(pubKey);
Log.i(TAG, "Signature Object Info: ");
Log.i(TAG, "Algorithm = "+sg.getAlgorithm());
Log.i(TAG, "Provider = "+sg.getProvider());
FileInputStream in = new FileInputStream(input);
byte[] buff = new byte[in.available()];
in.read(buff);
sg.update(buff);
boolean ok = sg.verify(sign);
Log.i(TAG, "Verify Processing Info: ");
Log.i(TAG, "Verification result = "+ok);
return ok;
}
}
我读过的一切说我的代码是正确的。 我想获得的公钥出来的部分是正确的,因为模量相匹配的实际.der文件。
请帮忙!
编辑:我认为这与做任何我怎么读签名文件或数据文件中的我敢肯定我正确地获取有关公共密钥一切,因为我打印出来的更多信息有关它和它相匹配。 OpenSSL的输出
每尼古拉的建议编辑下面,我试图签下的Android应用程序,我是在OpenSSL中使用此代码签名的内部相同的数据:
// testing code to sign it myself
// read the data file in
FileInputStream dataStream = new FileInputStream(input);
byte[] dataBytes = new byte[dataStream.available()];
dataStream.read(dataBytes);
dataStream.close();
// hash the data file, like i do with openssl
// per Nikolay's comments, this is not needed
MessageDigest digest = MessageDigest.getInstance("SHA-1");
// digest.update(dataBytes, 0, dataBytes.length);
// dataBytes = digest.digest();
Log.i(TAG, "data from file: " + new String(dataBytes));
// read the private key in
FileInputStream fis = new FileInputStream(Environment.getExternalStorageDirectory() + "/phaero/private_key.pem");
byte[] keyBytes = new byte[fis.available()];
fis.read(keyBytes);
fis.close();
// clean up the private key and decode it
String temp = new String(keyBytes);
Log.i(TAG, "private key: " + temp);
String privKeyPEM = temp.replace("-----BEGIN RSA PRIVATE KEY-----\n", "");
privKeyPEM = privKeyPEM.replace("-----END RSA PRIVATE KEY-----", "");
byte[] decoded = Base64.decode(privKeyPEM.getBytes(), Base64.DEFAULT);
// create the private key object from the private key data
PKCS8EncodedKeySpec private_spec = new PKCS8EncodedKeySpec(decoded);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey privateKey = kf.generatePrivate(private_spec);
// set up for signing
Signature signer = Signature.getInstance(signAlgo);
signer.initSign(privateKey);
signer.update(dataBytes, 0, dataBytes.length);
// sign, and hash again so i can compare against openssl output
byte[] signed = signer.sign();
digest.update(signed, 0, signed.length);
Log.i(TAG, new BigInteger(1, digest.digest()).toString(16));
快速注:使用在果冻豆上面的代码中,你必须创建的KeyFactory时指定“BC”。
然后我散列签名结果,看它是否会匹配使用OpenSSL生成签名文件的哈希,他们不匹配..所以我不知道这意味着什么,但我知道这意味着什么! 我假设我需要指定某种附加选项的建立在OpenSSL的签名文件时?
编辑:
按照以下尼古拉的评论,我更新了我的测试代码,不要签收,但在Java中创建签名的散列仍犯规匹配使用OpenSSL创建签名文件的散列...不知道什么是错的,Java和OpenSSL的,还是我。
