我尝试使用SHA-256withECDSA签名算法生成 CSR,但通过使用 Bouncy Castle API 验证在 CSR 中得到错误无效签名。我正在使用加密令牌进行签名
我也确实更改了其他签名算法,例如 SHA1,但仍然得到无效签名。因此,怀疑错误与算法无关,而是与 DER 编码有关。
这是我签署pkcs10的方法
public static byte[] GeneratePkcs10(Session session, ObjectHandle privateKeyHandle)
{
mechanism = new Mechanism(CKM.CKM_ECDSA);
SignatureAlgorihtm = EcSigOID.SHA256; // OID : 1.2.840.10045.4.3.2
X9ECParameters x9Ec = ECNamedCurveTable.GetByName("P-256");
ECDomainParameters domain = new ECDomainParameters(x9Ec.Curve, x9Ec.G, x9Ec.N, x9Ec.H);
var pubKeyParam = ToPublicKey(PrivKey, domain);
pkcs10 = new Pkcs10CertificationRequestDelaySigned(SignatureAlgorihtm, new X509Name(subjectDistinguishedName), pubKeyParam, attributes: new DerSet());
byte[] signature = session.Sign(mechanism, privateKeyHandle, GetMessageDigest(session, pkcs10.GetDataToSign()));
signature = ConstructEcdsaSigValue(signature);
pkcs10.SignRequest(new DerBitString(signature));
}
public static bool Verify(byte[] csrSigned)
{
var csr = new Pkcs10CertificationRequest(csrSigned);
bool isValid = csr.Verify();
log.Info("isValid : " + isValid); // FALSE
return isValid;
}
private static byte[] GetMessageDigest(Session _session, byte[] message)
{
using (Mechanism mechanism = new Mechanism(CKM.CKM_SHA256))
{
return _session.Digest(mechanism, message);
}
}
public static byte[] ConstructEcdsaSigValue(byte[] rs)
{
if (rs == null)
throw new ArgumentNullException(nameof(rs));
if (rs.Length < 2 || rs.Length % 2 != 0)
throw new ArgumentException("Invalid length", nameof(rs));
var derSignature = new DerSequence(
// first 32 bytes is "r" number
new DerInteger(new BigInteger(1, rs.Take(32).ToArray())),
// last 32 bytes is "s" number
new DerInteger(new BigInteger(1, rs.Skip(32).ToArray()))).GetDerEncoded();
return derSignature;
}
签名长度:71
r =32 + s =32,签名为 64字节。附加字节是填充,r 或 s
输出企业社会责任
-----BEGIN CERTIFICATE REQUEST-----
MIHxMIGZAgEAMDcxDDAKBgNVBAMMA0FCQzEaMBgGA1UECgwRQUJDLmNvbSBTZG4u
IEJoZC4xCzAJBgNVBAYTAk1ZMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyc2h
gzb7gIUwRIym88PxOKTZSiPMOgQjdt0PP9h6kgexOJquZk9duXh0LKXuDI/YaNpb
KxJ91ZGRrdaYbhbvTKAAMAoGCCqGSM49BAMCA0cAMEQCIAaeCoYsDYx1h29GRGKg
XVBB2xXZjsHnr5hZ2iqMgQV2AiB+P7w1Wos8sHRbnyGQW5NCBz+RVrWrWaGa37S9
W0lyBQ==
-----END CERTIFICATE REQUEST-----
点击此处在线查看企业社会责任及详情
老实说,如果这是此签名的问题,我不确定如何修改签名r和s填充。希望有人可以指导我。任何建议都可能有所帮助