0

借助 EC-HSM,我使用 Azure JS SDK 进行了测试,以使用密钥库对数据进行签名和验证

当我使用 Azure JS SDK 验证它是否正常工作时,我将输出放在注释中

describe('crypto services', () => {
  it('Azure HSM', async () => {
    const client = new KeyClient(
      'https://xxx.vault.azure.net',
      new EnvironmentCredential(),
    );

    const keys: { [key: string]: KeyVaultKey } = {};
    for await (const key of client.listPropertiesOfKeys()) {
      keys[key.name] = await client.getKey(key.name);
    }
    console.log('available keys', Object.keys(keys)); //logging ['tmp']

    const cryptoClient = new CryptographyClient(
      keys['tmp'],
      new EnvironmentCredential(),
    );
    const content = Buffer.from('Hello world');
    const sig = await cryptoClient.signData('ES256', content);
    console.log('signature', Buffer.from(sig.result).toString('base64')); //logging different output on each call
    console.log('key crv', keys['tmp'].key.crv); //P-256
    console.log('key x', Buffer.from(keys['tmp'].key?.x).toString('base64')); //OC76WxZ/TMzJnRqv/cy9llDqSIMWlplgREY3jMxDCks=
    console.log('key y', Buffer.from(keys['tmp'].key?.y).toString('base64')); //Dxgw8nqXoO3xXQruejfQa/Z+aFpo/4ilC64JUHoRoog=

    const verif = await cryptoClient.verifyData('ES256', content, sig.result);
    expect(verif.result).toBe(true);
  });
})

现在,我想在不调用 azure sdk 的情况下进行本地验证(这正是首先使用非对称加密的原因)

  it.only('local HSM verif', () => {
    const content = Buffer.from('Hello world'); //same content
    const sigs = [ //some values I received
      'bxw1nS8Q39mnQVkAhvJctXuLHz4n0wUjLbE+phj1XlUeWDxl7DCK5bG4d7YrL7zGtAnUq3YT9AdrrAXjpwhCzQ==',
      'hlh1CJSKivFYcdVygI0KJfUCGYor+whUu6NsJZhNTCllHHRmgh9FvcvxBSFVu0am7A9lryG/N5vLAv/B1Niiew==',
    ];
    const base64X = 'OC76WxZ/TMzJnRqv/cy9llDqSIMWlplgREY3jMxDCks='; //same as output of previous test
    const base64Y = 'Dxgw8nqXoO3xXQruejfQa/Z+aFpo/4ilC64JUHoRoog=';//same as output of previous test
    //converting the jwk to PEM thanks to the jwk-to-pem package
    const publicKey = jwkToPem({
      kty: 'EC',
      crv: 'P-256',
      x: base64X,
      y: base64Y,
    });
    for (const sig of sigs) {
      const verifyLocal = crypto.createVerify('sha256');
      verifyLocal.update(content);        
      const verifLocal = verifyLocal.verify(publicKey, sig);
      expect(verifLocal).toBe(true); //it always fails here
    }
  });

有人可以解释发生了什么吗?

我的猜测是公共签名不正确,因此在 base64 中也不x正确y

例如,如果我使用 mkjwk.org 生成 JWK

{
kty: 'EC',
d: '7LU9Y16XKiFMcPVm39B5fVOtG0s-bnJwaeEtMrk9udE',
crv: 'P-256',
x: 'g-68Nakmi41xMv6zKduBn4dqcqJ0KXDqdS2rFpxUQOA',
y: 'pYRqhl2YDKBwGGkIXdYQQWuNjOtPcCe1bz_VYalXFW0',
}

它们看起来更短并且没有'/'或'='

4

1 回答 1

0

问题是 NodeJS 需要一个 ASN.1 DER 签名,而 Azure Key Vault 创建一个 IEEE-P1363 签名(又名级联签名)。

使用 Node.js/crypto 生成 ECDSA 签名对此进行了详细介绍。

以下代码片段可用于将连接签名转换为 NodeJS 期望的格式(在 、 和包的帮助jwk-to-pemasn1.jsbn.js

import { CryptographyClient, KeyClient } from "@azure/keyvault-keys";
import { AzureCliCredential } from "@azure/identity";
import jwkToPem from "jwk-to-pem";
import * as crypto from "crypto";
import asn1 from "asn1.js";
import BN from "bn.js";

const EcdsaDerSig = asn1.define("ECPrivateKey", function (this: any) {
  return this.seq().obj(this.key("r").int(), this.key("s").int());
});

function concatSigToAsn1SigSig(concatSigBuffer: any) {
  const r = new BN(concatSigBuffer.slice(0, 32).toString("hex"), 16, "be");
  const s = new BN(concatSigBuffer.slice(32).toString("hex"), 16, "be");
  return EcdsaDerSig.encode({ r, s }, "der");
}

async function main() {
  const content = Buffer.from("Hello world"); // some content
  const client = new KeyClient(
    "https://<your_vault_name>.vault.azure.net",
    new AzureCliCredential()
  );
  const key = await client.createEcKey("eckeytest");

  const cryptoClient = new CryptographyClient(key, new AzureCliCredential());
  const signature = await cryptoClient.signData("ES256", content); // sign data remotely in Azure Key Vault
  const sig = concatSigToAsn1SigSig(signature.result); // convert sig to the node.js expected format

  const base64X = Buffer.from(key.key!.x!).toString("base64");
  const base64Y = Buffer.from(key.key!.y!).toString("base64");
  // convert JWK to PEM for verification
  const publicKey = jwkToPem({
    kty: "EC",
    crv: "P-256",
    x: base64X,
    y: base64Y,
  });

  // Depending on the version of Node used, you could use `crypto.verify` directly.
  const keyObj = crypto.createPublicKey(publicKey);
  let result = crypto.verify("sha256", content, keyObj, sig);
  console.log("Result using crypto.verify", result);

  // using a verifier which can be used directly with the `publicKey`
  let verify = crypto.createVerify("sha256");
  verify.update(content);
  verify.end();
  result = verify.verify(publicKey, sig);
  console.log("Result using crypto.createVerify", result);
}

main()
  .then(() => console.log("done"))
  .catch((err) => console.log(err));
于 2021-09-27T17:04:01.607 回答