4

我正在试验 Chaum 的盲签名,我想做的是在 JavaScript 中完成盲和非盲,并在 Java 中签名和验证(使用充气城堡)。对于 Java 方面,我的来源是this,对于 JavaScript,我找到了盲签名。我为 Java 端创建了两个可以使用的小代码:

package crypto;

import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.bouncycastle.crypto.util.PrivateKeyInfoFactory;
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.util.io.pem.PemObject;

import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Scanner;

public class RsaConcealedMessageTest {
    public static void main(String[] args) {
        AsymmetricCipherKeyPair rsaKeyPair = generateKeyPair();
        Scanner userInput = new Scanner(System.in);

        try {
            printKeyPairPems(rsaKeyPair);

            // Producing signature on concealed message
            System.out.print("Concealed message (in base64)?");
            String concealedMessageBase64 = userInput.nextLine();
            byte[] concealedMessageBytes = Base64.getDecoder().decode(concealedMessageBase64);
            byte[] signatureOnConcealedMessage = signConcealedMessage(concealedMessageBytes, rsaKeyPair.getPrivate());
            System.out.println("Signature on concealed message (base64): " + Base64.getEncoder().encodeToString(signatureOnConcealedMessage));


            // Verifying revealed signature on revealed message
            System.out.print("Revealed message (in base64)?");
            String revealedMessageBase64 = userInput.nextLine();
            System.out.print("Revealed signature (in base64)?");
            String revealedSignatureBase64 = userInput.nextLine();

            byte[] revealedMessageBytes = Base64.getDecoder().decode(revealedMessageBase64);
            System.out.println("Revealed message is: " + new String(revealedMessageBytes));
            byte[] revealedSignatureBytes = Base64.getDecoder().decode(revealedSignatureBase64);

            PSSSigner signer = new PSSSigner(new RSAEngine(), new SHA256Digest(), 0);
            signer.init(false, rsaKeyPair.getPublic());

            signer.update(revealedMessageBytes, 0, revealedMessageBytes.length);
            boolean isVerified = signer.verifySignature(revealedSignatureBytes);
            System.out.println("Revealed signature is verified on revealed message: " + isVerified);

        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    private static AsymmetricCipherKeyPair generateKeyPair() {
        RSAKeyPairGenerator generator = new RSAKeyPairGenerator();

        BigInteger publicExponent = new BigInteger("10001", 16);
        SecureRandom random = new SecureRandom();
        RSAKeyGenerationParameters keyGenParams = new RSAKeyGenerationParameters(
                publicExponent, random, 4096, 80
        );

        generator.init(keyGenParams);
        return generator.generateKeyPair();
    }

    private static void printKeyPairPems(AsymmetricCipherKeyPair keyPair) throws IOException {
        RSAKeyParameters publicKey = (RSAKeyParameters) keyPair.getPublic();
        byte[] publicKeyBytes = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(publicKey).getEncoded();
        printKeyPem("PUBLIC KEY", publicKeyBytes);

        RSAKeyParameters privateKey = (RSAKeyParameters) keyPair.getPrivate();
        byte[] privateKeyBytes = PrivateKeyInfoFactory.createPrivateKeyInfo(privateKey).getEncoded();
        printKeyPem("PRIVATE KEY", privateKeyBytes);
    }

    private static void printKeyPem(String keyType, byte[] keyBytes) throws IOException {
        PemObject pemObject = new PemObject(keyType, keyBytes);
        StringWriter keyStringWriter = new StringWriter();
        JcaPEMWriter pemWriter = new JcaPEMWriter(keyStringWriter);
        pemWriter.writeObject(pemObject);
        pemWriter.close();

        System.out.println(keyType + ": " + keyStringWriter.toString().replace("\n", ""));
    }

    private static byte[] signConcealedMessage(byte[] concealedMessage, AsymmetricKeyParameter privateKey) {
        RSAEngine engine = new RSAEngine();
        engine.init(true, privateKey);

        return engine.processBlock(concealedMessage, 0, concealedMessage.length);
    }
}

以上将生成一个密钥对,将公共部分打印到标准输出,并从标准输入读取盲消息,然后读取非盲消息和签名。对于 JavaScript (Node.js) 方面,我有这个:

const BigInteger = require('jsbn').BigInteger;
const BlindSignature = require('blind-signatures');
const NodeRSA = require('node-rsa');
const prompt = require('prompt-sync')();

const publicKeyInput = prompt("Public key in PEM?");
const publicKey = new NodeRSA(publicKeyInput);

// Concealing message
const message = "The quick brown fox jumps over the lazy dog! Hello World!";
const concealingResult = BlindSignature.blind(
    {
        message: message,
        N: publicKey.keyPair.n.toString(),
        E: publicKey.keyPair.e.toString(),
    }
);

const blindedHexStr = concealingResult.blinded.toString(16);
const blindedBuffer = Buffer.from(blindedHexStr, 'hex');

console.log(`\nConcealed message (base64): ${blindedBuffer.toString('base64')}`);
console.log(`\nr: ${concealingResult.r.toString(16)}`);

// Getting signature on concealed message and producing revealed signature
const signatureOnConcealedMessageBase64 = prompt("Signature on concealed message (base64)?");
const signatureOnConcealedMessageBuffer = Buffer.from(signatureOnConcealedMessageBase64, 'base64');
const signatureOnConcealedMessageHex = signatureOnConcealedMessageBuffer.toString('hex');
const signatureOnConcealedMessage = new BigInteger(signatureOnConcealedMessageHex, 16)

const signatureOnRevealedMessage = BlindSignature.unblind({
    signed: signatureOnConcealedMessage,
    N: publicKey.keyPair.n.toString(),
    r: concealingResult.r,
});

const revealedMessageBuffer = Buffer.from(message, 'utf8');
const revealedMessageBase64 = revealedMessageBuffer.toString('base64');
console.log(`\nRevealed message (base64): ${revealedMessageBase64}`);

const signatureOnRevealedMessageHex = signatureOnRevealedMessage.toString(16);
const signatureOnRevealedMessageBuffer = Buffer.from(signatureOnRevealedMessageHex, 'hex');
const signatureOnRevealedMessageBase64 = signatureOnRevealedMessageBuffer.toString('base64');
console.log(`\nSignature on revealed message (base64): ${signatureOnRevealedMessageBase64}`);

这会读取公钥,生成盲消息,然后进行解盲。

Java代码的验证部分失败,不知道为什么。有谁有想法吗?

4

1 回答 1

2

NodeJS代码中用于盲签名的盲签名库实现了这里描述的过程:

在此过程中不会发生填充。

在 Java 代码中,签名盲消息的实现在signConcealedMessage()功能上与BlindSignature.sign().
相比之下,Java代码中的验证与上述过程不兼容,因为Java代码在验证时使用PSS作为填充。
例如,兼容的 Java 代码是:

RSAEngine engine = new RSAEngine();
engine.init(false, rsaKeyPair.getPublic());
byte[] signatureDecrypted = engine.processBlock(revealedSignatureBytes, 0, revealedSignatureBytes.length);  // calculates s^e          
byte[] messageHashed = MessageDigest.getInstance("SHA-256").digest(revealedMessageBytes);
System.out.println(Arrays.equals(messageHashed, signatureDecrypted)); // verification successfull, if s^e identical with the SHA256 hash of the message

有了这个验证码就成功了。

似乎有一个用于盲签名的 RFC,它确实使用了 PSS 的扩展,请参阅draft-irtf-cfrg-rsa-blind-signatures
BouncyCastle 还提供了盲签名的实现,参见例如RSABlindingEngine,它被引用的 Java 库应用。

于 2021-12-13T10:16:27.960 回答