0

我尝试使用SHA-256withECDSA签名算法生成 CSR,但通过使用 Bouncy Castle API 验证在 CSR 中得到错误无效签名。我正在使用加密令牌进行签名

我也确实更改了其他签名算法,例如 SHA1,但仍然得到无效签名。因此,怀疑错误与算法无关,而是与 DER 编码有关。

这是我签署pkcs10的方法

public static byte[] GeneratePkcs10(Session session, ObjectHandle privateKeyHandle)
{
    mechanism = new Mechanism(CKM.CKM_ECDSA);
    SignatureAlgorihtm = EcSigOID.SHA256; // OID : 1.2.840.10045.4.3.2
    X9ECParameters x9Ec = ECNamedCurveTable.GetByName("P-256");
    ECDomainParameters domain = new ECDomainParameters(x9Ec.Curve, x9Ec.G, x9Ec.N, x9Ec.H);
    var pubKeyParam = ToPublicKey(PrivKey, domain);

    pkcs10 = new Pkcs10CertificationRequestDelaySigned(SignatureAlgorihtm, new X509Name(subjectDistinguishedName), pubKeyParam, attributes: new DerSet());
    byte[] signature = session.Sign(mechanism, privateKeyHandle, GetMessageDigest(session, pkcs10.GetDataToSign()));

    signature = ConstructEcdsaSigValue(signature);
    pkcs10.SignRequest(new DerBitString(signature));
}

public static bool Verify(byte[] csrSigned)
{
  var csr = new Pkcs10CertificationRequest(csrSigned);
  bool isValid = csr.Verify();
  log.Info("isValid : " + isValid); // FALSE
  return isValid;
}

private static byte[] GetMessageDigest(Session _session, byte[] message)
{
   using (Mechanism mechanism = new Mechanism(CKM.CKM_SHA256))
   {
     return _session.Digest(mechanism, message);
   }
}

public static byte[] ConstructEcdsaSigValue(byte[] rs)
{
  if (rs == null)
    throw new ArgumentNullException(nameof(rs));

  if (rs.Length < 2 || rs.Length % 2 != 0)
    throw new ArgumentException("Invalid length", nameof(rs));

  var derSignature = new DerSequence(
  // first 32 bytes is "r" number
  new DerInteger(new BigInteger(1, rs.Take(32).ToArray())),
  // last 32 bytes is "s" number
  new DerInteger(new BigInteger(1, rs.Skip(32).ToArray()))).GetDerEncoded();

  return derSignature;
}

签名长度:71

r =32 + s =32,签名为 64字节。附加字节是填充,r 或 s

输出企业社会责任

-----BEGIN CERTIFICATE REQUEST-----
MIHxMIGZAgEAMDcxDDAKBgNVBAMMA0FCQzEaMBgGA1UECgwRQUJDLmNvbSBTZG4u
IEJoZC4xCzAJBgNVBAYTAk1ZMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyc2h
gzb7gIUwRIym88PxOKTZSiPMOgQjdt0PP9h6kgexOJquZk9duXh0LKXuDI/YaNpb
KxJ91ZGRrdaYbhbvTKAAMAoGCCqGSM49BAMCA0cAMEQCIAaeCoYsDYx1h29GRGKg
XVBB2xXZjsHnr5hZ2iqMgQV2AiB+P7w1Wos8sHRbnyGQW5NCBz+RVrWrWaGa37S9
W0lyBQ==
-----END CERTIFICATE REQUEST-----

点击此处在线查看企业社会责任及详情

老实说,如果这是此签名的问题,我不确定如何修改签名rs填充。希望有人可以指导我。任何建议都可能有所帮助

4

0 回答 0