1

I have a digital signature (RSA - PKCS#1). After decrypting it with the RSA public key I get the following 128 bytes

00 01 ff ff ff .. ff 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 77 51 1b f4 d7 17 d7 ad 8c 2d e5 89 2a ca e0 6d a3 c0 7d 13 4d d7 b8 01 14 87 03 00 69 e4 9b b3

PKCS#1 padding removed, 51 bytes left:

30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 77 51 1b f4 d7 17 d7 ad 8c 2d e5 89 2a ca e0 6d a3 c0 7d 13 4d d7 b8 01 14 87 03 00 69 e4 9b b3

I would like two things about this:

  1. Is it possible to determine the hash function used? Encoded algorithm ID should be prepended to the actual body of the digest, is it possible to tell what algorithm it is from the raw bytes?

  2. Where does the actual digest start (how long the head / digest is)?

4

1 回答 1

1

This appears to be EMSA-PKCS1-v1_5 as described in RFC 3447, which means that after removing the header and padding, you have a DER encoding of an AlgorithmIdentifier followed by the hash value itself.

From the RFC:

  1. For the six hash functions mentioned in Appendix B.1, the DER encoding T of the DigestInfo value is equal to the following:

    [...]

    SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.

So in your example, the hash value is the SHA-256 hash starting 77511bf4d7....

于 2013-04-20T10:13:00.500 回答